CODEWITHSUNDEEP
ansible
Roy Tan
Roy Tan

Reputation: 131

Ansible update user password

ansible 192.168.1.115 -s -m shell -a "echo -e 'oldpassword\nnewpassword\nnewpassword' | passwd myuser" -u myuser --ask-sudo-pass

I would like to update existing user with new password, I had tried this command, but it doesn't work

appreciate any Tips !

Upvotes: 8

Views: 39320

Answers (3)

BOUKANDOURA Mhamed
BOUKANDOURA Mhamed

Reputation: 1081

Update password for a list of hosts using dynamic variables:

In your inventory file set a variable (pass) as the following: 

 ip_1@ ansible_user=xxxxxx ansible_ssh_pass=xxxx ansible_sudo_pass=xxx pass='aaaa'
 ip_2@ ansible_user=xxxxxx ansible_ssh_pass=xxxx ansible_sudo_pass=xxx pass='bbbb'

Now in the playbook we make a backup of the shadow file and set cron task to restore the shadow file in case something went wrong than we update the password: 

- hosts: your_hosts
  gather_facts: no
  tasks:
    - name: backup shadow file
      copy:
        src: /etc/shadow
        dest: /etc/shadaw.org
      become: yes

    - name: set cron for backup
      cron:
        name: restore shadow
        hour: 'AT LEAST GIVE YOURSELF ONE HOUR TO BE ABLE TO CALL THIS OFF'
        minute: *
        job: "yes | cp /tmp/shadow /etc/"
      become: yes

    - name: generate hash pass
      delegate_to: localhost
      command:  python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt('{{pass}}')"
      register: hash


    - debug:
        var: hash.stdout

    - name: update password
      user:
        name: xxxxxx
        password:  '{{hash.stdout}}'
      become: yes

Now we create a new playbook to call off cron task we use the new password for authentication and if authentication failed cron will remain active and restore the old password.

hosts file: 

   ip_1@   ansible_user=xxxxxx ansible_ssh_pass=aaaa ansible_sudo_pass=aaaa
   ip_2@   ansible_user=xxxxxx ansible_ssh_pass=bbbb ansible_sudo_pass=bbbb

the playbook:

- hosts: your_hosts
  gather_facts: no
  tasks:

    - name: cancel cron task
      cron:
        name: restore shadow
        state: absent

!!Remember:

  • pass variable contain your password so you may consider using vault.
  • Give yourself time when setting cron for backup to be able to call it of (second playbook).
  • In worst case cron will restore the original password.
  • You need to have passlib installed in your ansible server.

Upvotes: 2

Roy Tan
Roy Tan

Reputation: 131

Create your shadow password (linux) with 

python -c 'import crypt; print crypt.crypt("YourPassword", "$6$random_salt")'

create update_pass.yml

execute your ansible-playbook with sudoer (bash)

ansible-playbook update_pass.yml --become --become-method='sudo' --ask-become-pass

Upvotes: 4

Arbab Nazar
Arbab Nazar

Reputation: 23771

You can leverage the user module to quickly change the password for desired account. Ansible doesn’t allow you to pass a cleartext password to user module so you have to install a password hashing library to be leveraged by Python.

To install the library:

sudo -H pip install passlib

Then simply exexute your command:

ansible 192.168.1.115 -s -m user -a "name=root update_password=always password={{ yourpassword | password_hash('sha512') }}" -u myuser --ask-sudo-pass

Hope that help you

Upvotes: 8

Related Questions