Skip to content

Security reference

Paramiko dependency floor

Automax requires paramiko>=5.0.0,<6.0 so SSH transport uses the supported Paramiko dependency line and avoids RSA/SHA-1 handling that is not suitable for modern SSH deployments alerts. Keep the lower bound at or above 5.0.0 unless a future security review explicitly changes it.

SSH host keys

Production inventories should reject unknown host keys:

ssh:
  known_hosts: ~/.ssh/known_hosts
  missing_host_key_policy: reject

Unknown host keys are rejected. For lab hosts, scan the host key to a dedicated known-hosts file before running Automax:

automax ssh known-hosts scan --host lab01.example.com --output ~/.ssh/automax_known_hosts

The scanner prints SHA256 fingerprints for verification over a trusted channel. For inventories, scan the selected targets without running a job:

automax ssh known-hosts scan \
  --inventory inventory/prod.yaml \
  --limit web \
  --output ~/.ssh/automax_known_hosts
ssh:
  known_hosts: ~/.ssh/automax_known_hosts
  missing_host_key_policy: reject

Private key permissions

Automax checks private key permissions by default. Use:

chmod 600 ~/.ssh/id_ed25519

rather than disabling the check.

Agent and key discovery

For predictable automation, prefer explicit settings:

ssh:
  allow_agent: false
  look_for_keys: false
  key_file: ~/.ssh/id_ed25519

Secrets

Secret providers are env, file, command, vault, aws_secrets_manager, azure_key_vault, gcp_secret_manager and onepassword.

secrets:
  token:
    provider: env
    name: AUTOMAX_TOKEN

  deploy_token:
    provider: vault
    path: secret/prod/app
    field: deploy_token

  db_password:
    provider: aws_secrets_manager
    secret_id: prod/db
    json_key: password
    region: eu-west-1

Resolved secret values are masked before stdout, stderr, messages, structured result data and artifacts are persisted to the run state.

Command and external secret manager providers run on the controller. Prefer list-form commands for custom helpers and keep shell: false unless a trusted local helper explicitly needs shell features. Provider errors intentionally do not include captured stdout or stderr.

Sudo

Many remote plugins accept sudo: true. Use it only on the substeps that require privilege escalation. Keep non-privileged checks non-privileged.