Secure Communication and Transport Security

1 min read Infrastructure & DevOps Security

Secure Communication and Transport Security

Ansible's communication security depends on the underlying transport mechanisms – typically SSH for Linux/Unix systems and WinRM for Windows. Securing these transports prevents eavesdropping, man-in-the-middle attacks, and unauthorized access during automation execution.

SSH hardening for Ansible requires balancing security with operational requirements. Use SSH protocol version 2 exclusively, implement strong cipher suites, and enable strict host key checking. Configure connection throttling to prevent brute force attacks while ensuring legitimate Ansible operations complete successfully.

# ansible.cfg security configurations
[defaults]
host_key_checking = True
host_key_auto_add = False
retry_files_enabled = False
gathering = smart
fact_caching = jsonfile
fact_caching_connection = /tmp/ansible-facts
fact_caching_timeout = 86400

[ssh_connection]
ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=yes
pipelining = True
control_path_dir = /tmp/.ansible-cp

[privilege_escalation]
become = False
become_method = sudo
become_ask_pass = False

WinRM security for Windows automation requires HTTPS transport with valid certificates. Configure WinRM to use Kerberos authentication where possible, falling back to NTLM only when necessary. Implement certificate-based authentication for service accounts to eliminate password-based authentication.