Reputation: 127
changing password with ansible on older systems
I need to change the password on a user for over a hundred system. I want to do this with ansible. Which is easy. However the user module on ansible requires a hashed password. I am concerned because there are a few older hosts which may not support newer types of hashing. I want to be able to programmatically identify what password hashing algorithms are available, and use the appropriate password hash to change. Or is there perhaps a better way to handle this whole sale.
I have considered the following:
echo username:password | chpasswd
and run that using the command module. That should use whatever the default algorithm is. Is there any cause for concern with this method?
Upvotes: 0
Views: 287
Answers (1)
Reputation: 1309
In my mind, the ideal way would be to figure the supported hashes for each machine and then generate the proper hash for each machine.
The approach you list should work Just make sure you at "no_log: yes" to your task to ensure the password doesn't end up in the log file.
With either approach you're going to need have a way of getting the password(s) into ansible to use with the user module. Not sure if the passwords will be in a CSV file, yaml file or some other format. You could consider using vault to lock things down a bit more.
Upvotes: 2
Related Questions
- Safely limiting Ansible playbooks to a single machine?
- How to create a directory using Ansible
- Specify sudo password for Ansible
- Adding users in ansible and enforcing password change, resets user's password when adding new user
- How to chain two Ansible module in one task
- ansible replace `--ask-pass` with a vaulted password
- Logging in with username/password (fetched from an API) in an Ansible playbook