Security reference
Paramiko dependency floor
Automax requires paramiko>=5.0.0,<6.0 so SSH transport uses the
supported Paramiko dependency line and avoids RSA/SHA-1 handling that is not suitable for modern SSH deployments
alerts. Keep the lower bound at or above 5.0.0 unless a future security review
explicitly changes it.
SSH host keys
Production inventories should reject unknown host keys:
ssh:
known_hosts: ~/.ssh/known_hosts
missing_host_key_policy: reject
Unknown host keys are rejected. For lab hosts, scan the host key to a dedicated known-hosts file before running Automax:
automax ssh known-hosts scan --host lab01.example.com --output ~/.ssh/automax_known_hosts
The scanner prints SHA256 fingerprints for verification over a trusted channel. For inventories, scan the selected targets without running a job:
automax ssh known-hosts scan \
--inventory inventory/prod.yaml \
--limit web \
--output ~/.ssh/automax_known_hosts
ssh:
known_hosts: ~/.ssh/automax_known_hosts
missing_host_key_policy: reject
Private key permissions
Automax checks private key permissions by default. Use:
chmod 600 ~/.ssh/id_ed25519
rather than disabling the check.
Agent and key discovery
For predictable automation, prefer explicit settings:
ssh:
allow_agent: false
look_for_keys: false
key_file: ~/.ssh/id_ed25519
Secrets
Secret providers are env, file, command, vault, aws_secrets_manager, azure_key_vault, gcp_secret_manager and onepassword.
secrets:
token:
provider: env
name: AUTOMAX_TOKEN
deploy_token:
provider: vault
path: secret/prod/app
field: deploy_token
db_password:
provider: aws_secrets_manager
secret_id: prod/db
json_key: password
region: eu-west-1
Resolved secret values are masked before stdout, stderr, messages, structured result data and artifacts are persisted to the run state.
Command and external secret manager providers run on the controller. Prefer
list-form commands for custom helpers and keep shell: false unless a trusted
local helper explicitly needs shell features. Provider errors intentionally do
not include captured stdout or stderr.
Sudo
Many remote plugins accept sudo: true. Use it only on the substeps that require
privilege escalation. Keep non-privileged checks non-privileged.