I’d like to know what are the best practices out there to setup a machine in a way that is “scripting friendly”. What I mean by that is that you can programmatically and remotely execute commands to configure and provisioning the machine. In my case, I want to use Ansible.
Ideally what we want is to have ssh access via a non-root user and then “become” root via sudo when necessary. But, is that an accepted and secure way to configure a Linux/Unix machine for that purpose?
I am asking because that is not what I am seeing in some of the machines I want to run Ansible on. Most of the time, sudo requires you entering your user password. Some other times 2FA is enabled. In that context, Ansible is unusable.
When I ask syadmins to change the setup to the “ideal setup” (sudo without password) they don’t do it on the basis of security. Is that a valid security concern? And, if it is, what do you then to run Ansible or any other provisioning system?
Thank you.
