[_frkl]

How does saltstack do tasks that require root access? Use the root user directly?

[bifrost]

Correct, the minion runs as root and doesn't require interactive ssh access. Its controlled by a remote master that you ideally properly protect.

[throwaway_391]

So it's a less audited application than *SSH that the author is recommending over SSH because it doesn't require user authentication but runs in a daemon with root privs?

[bifrost]

Not quite. In this case Ansible is enabled by a user logging into the system; The user should not be allowed to login to the system in the first place. Ideally you want your configuration system indepenent of user logins. Ansible has its place, my argument is that it doesn't belong here.