Thanks for your reply. On Thursday, September 18, 2014 2:51:48 PM UTC-4, Josh Smift wrote: > > Keep in mind is that there are two things here: The user you run Ansible > as, and the remote user that Ansible acts as on the target systems. One > thing you can do is set remote_user to 'ansible', and then put your > admins' public keys in the 'ansible' user's authorized_keys file on the > target systems; then each can run Ansible as themselves, but Ansible acts > as 'ansible' on the target systems. >
I've chosen this approach. It seems like I also need to set ansible_ssh_user because remote_user doesn't seem to influence which SSH user is used when connecting. That is, unless I specify ansible_ssh_user in my inventory, though I have remote_user=ansible in my playbook, ansible-playbook wants to connect using the username of my local user. Do I need to use ansible_ssh_user in addition to remote_user? > > I'm not sure if that's better, from a best practices point of view, than > also having a shared *private* key for the 'ansible' user, having the > 'ansible' user's authorized_keys file on the target systems contain only > the pubkey corresponding to that shared key, and have the admins run > Ansible as the 'ansible' user (e.g. 'sudo -u ansible ansible-playbook etc > etc'). I imagine it depends on your environment, and that there are > arguments either way. > > -Josh ([email protected] <javascript:>) > > > > This email is intended for the person(s) to whom it is addressed and may > contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized > use, distribution, copying, or disclosure by any person other than the > addressee(s) is strictly prohibited. If you have received this email in > error, please notify the sender immediately by return email and delete the > message and any attachments from your system. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2bae843d-9f36-4177-b1da-70f1abf4d88f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
