Solved: Ansible - Privilege Escalation

Netmart · ‎08-20-2023

Hello,

I wanted to add config changes to to Cisco IOS XE.

When on node also enable password is set up, how is Ansible able to access privilege level to add for example a loopback interface.

I found the following.

vars/ios.yml

ansible_connection: ansible.netcommon.network_cli
ansible_network_os: cisco.ios.ios
ansible_user: myuser
ansible_password: !vault...
ansible_become: true
ansible_become_method: enable
ansible_become_password: !vault...
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion01"

However, I am wondering what the best practice is to get into Enable Mode ((Privilege Escalation).

Thanks,

Netmart

Netmart · ‎10-01-2023

Hi Marcel.

I chose the path of creating Vault file containing the encrypted password:

vars_files:

- /home/ciscoUser/Ansible/vault_password.yml

vars:

ansible_become_pass: "{{ vault_sudo_password }}"

ansible_python_interpreter: /usr/bin/python3

Thanks,

Martin

View solution in original post

Marcel Zehnder · ‎08-20-2023

Hi Netmart

What you found is how it's done - regarding the enable password (and any other password) - best practice is using a vault encrypted password (like in your example) or get the password from an envioronment variable (in the example the enable password is stored in the variable EN_PASSWORD):

ansible_become: true
ansible_become_method: enable
ansible_become_password: "{{ lookup( ansible.builtin.env , EN_PASSWORD) }}"

Netmart · ‎10-01-2023

Hi Marcel.

I chose the path of creating Vault file containing the encrypted password:

vars_files:

- /home/ciscoUser/Ansible/vault_password.yml

vars:

ansible_become_pass: "{{ vault_sudo_password }}"

ansible_python_interpreter: /usr/bin/python3

Thanks,

Martin