Set Up Ansible with Kerberos on a PHX Development Desktop

In the air-gapped PHX domain, Kerberos is used for secure authentication. This extends to the Ansible Development Environment, which runs on an Ubuntu 22/24-based desktop. Kerberos offers convenience and security, especially when combined with forwardable tickets, eliminating the need for repeated password prompts.
Categories:
Tags:

Overview

The Ansible development environment in the air-gapped PHX domain differs from the open-source PHX Development Environment (PXD). The PXD is fully open-source and part of the C2 Platform initiative. It uses Vagrant and Ansible without Kerberos, making it easier for quick setup and testing. In contrast, the PHX environment relies on Kerberos for authentication and vRA for infrastructure provisioning, without Vagrant. This setup is less suited for rapid Ansible development, as it lacks features like easy VM creation, snapshots, and automated environment management. For this reason, it’s often referred to as a “pseudo” development environment, involving more manual steps.

This guide explains how to simulate the PHX Ansible development environment locally. You’ll set up an Ubuntu 22.04 desktop VM named pxd-ubuntu-devtop using Vagrant and Ansible. Once provisioned, connect to it via SSH or Remmina (for RDP access). From there, perform Ansible tasks in this sandbox using Kerberos authentication, mirroring the PHX domain setup.

This simulation enables developers to test Ansible playbooks in a controlled, Kerberos-enabled environment without needing access to the actual air-gapped PHX domain. It emphasizes security best practices, such as using forwardable Kerberos tickets for seamless multi-hop authentication, while maintaining isolation for development and testing.

Prerequisites

Before starting, ensure you have the following:

  • Setting Up the PHX Development Environment on Ubuntu 22.04: Set up your Ansible development desktop with Ansible, Vagrant, LXD, and VirtualBox on Ubuntu 22.04. Clone the PHX project directories to extend the base C2 development environment. Use this setup to configure essential base services, including the Microsoft AD domain controller and reverse proxy. Finally, access web-based services in the environment via a Firefox profile using the forward proxy for sandboxed access.
  • Setting Up an Ansible Development Desktop: This guide details the steps to set up an Ansible Development Desktop using Ubuntu 22 that is similar to the desktop used within PHX domain.

Step 1: Connect to Ansible Development Desktop

Using Remmina, log in as tony with your password (e.g., Supersecret! for testing).

Install required packages for Kerberos and Python development:

sudo apt install krb5-user libkrb5-dev python3-dev

Verify the Kerberos configuration tool version:

krb5-config --version
Show me
tony@pxd-ubuntu-devtop:~$ krb5-config --version
Kerberos 5 release 1.19.2

Check your current Kerberos tickets:

klist
Show me
tony@pxd-ubuntu-devtop:~$ klist
Ticket cache: FILE:/tmp/krb5cc_747001104_4yJsHO
Default principal: tony@C2.ORG

Valid starting       Expires              Service principal
07/24/2025 11:06:24  07/24/2025 21:06:24  krbtgt/C2.ORG@C2.ORG
	renew until 07/25/2025 11:06:24

Step 2: Customize Your Terminal

Create a file for Bash aliases to simplify your workflow and improve productivity:

nano ~/.bash_aliases

Add the following content (customize GIT_USER and GIT_MAIL as needed):

export ANSIBLE_INVENTORY=hosts-kerberos.ini
export EDITOR=nano
export GIT_USER='tclifton'
export GIT_MAIL='tony.clifton@dev.c2platform.org'
alias python='python3'
alias pip='pip3'
alias phx-env='source ~/.virtualenv/pxd/bin/activate'
alias phx-home='cd ~/git/gitlab/c2/ansible-phx'
alias phx='phx-home && phx-env'
alias phx-roles='phx && ansible-galaxy install -r roles/requirements.yml --force --no-deps -p roles/external'
alias phx-collections='phx && ansible-galaxy collection install -r collections/requirements.yml -p .'
alias phx-vault='ansible-vault edit secret_vars/development/main.yml'
# Function to securely set the Ansible Vault password.
# Call this in your shell session with: set_vault_password
# It will prompt for the passphrase and export it to PX_ANSIBLE_VAULT_PASSWORD.
# The password will remain set for the duration of the shell session.
function phx-vault-password() {
    local password
    echo -n "Enter Ansible Vault passphrase: " >&2
    read -s password
    echo >&2  # Add a newline after the hidden input
    export PX_ANSIBLE_VAULT_PASSWORD="$password"
    echo "PX_ANSIBLE_VAULT_PASSWORD has been set for this shell session." >&2
}
export ANSIBLE_VAULT_PASSWORD_FILE=/usr/local/bin/vault-client.sh
export C2_HTTPS_SSH=https  # Use HTTPS for SSH operations
history -s ansible -i hosts.ini -m win_ping pxd-ad
history -s ansible -i hosts.ini -m ping pxd-rproxy1

These aliases streamline common tasks, such as activating the virtual environment, navigating to project directories, and managing Ansible installations.

Step 3: Set Up Python Virtual Environment

Create a Python 3 virtual environment for Ansible to ensure isolation, stability, and reproducibility:

sudo apt update
sudo apt install virtualenv -y
mkdir ~/.virtualenv
DEB_PYTHON_INSTALL_LAYOUT='deb' virtualenv ~/.virtualenv/pxd -p python3

This setup prevents conflicts with system-wide Python packages and aligns with best practices for development environments.

Step 4: Clone Projects

Load your Bash configuration and install required tools:

source ~/.bashrc
sudo apt install git curl -y
curl -s -L https://gitlab.com/c2platform/phx/ansible/-/raw/master/clone.sh | bash

As a security best practice, always review the contents of scripts like clone.sh before executing them via curl and bash. Download and inspect the script first to ensure it aligns with your security standards.

Step 5: Install Ansible and Ansible Roles/Collections

Activate the environment and install dependencies:

source ~/.bashrc
phx
pip install -r requirements.txt

Use the predefined aliases to install Ansible collections and roles:

phx-collections
phx-roles

This step ensures all required Ansible components are installed in the virtual environment, promoting scalability and consistency.

Step 6: Set Ansible Vault Password

phx
phx-vault-password

For more details, see:

This securely handles sensitive data, following best practices for secret management in Ansible.

Step 7: Ansible Ping

Verify the setup by pinging a Windows host:

ansible -m win_ping pxd-ad
Show me
(pxd) tony@pxd-ubuntu-devtop:~/git/gitlab/c2/ansible-phx$ ansible -m win_ping pxd-ad
[WARNING]: Collection ansible.windows does not support Ansible version 2.15.3
pxd-ad | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

Step 8: Ansible Provision

phx
ansible-playbook plays/mgmt/ad.yml

This step applies the Ansible playbook to provision resources, simulating PHX operations in your local environment.

Additional Information


Last modified August 27, 2025: phx devtop C2-633 (98261a8)