ansible 192.168.1.115 -s -m shell -a "echo -e 'oldpassword\nnewpassword\nnewpassword' | passwd myuser" -u myuser --ask-sudo-pass
I would like to update existing user with new password, I had tried this command, but it doesn't work
appreciate any Tips !
You can leverage the user module to quickly change the password for desired account. Ansible doesn’t allow you to pass a cleartext password to user module so you have to install a password hashing library to be leveraged by Python.
To install the library:
sudo -H pip install passlib
Then simply exexute your command:
ansible 192.168.1.115 -s -m user -a "name=root update_password=always password={{ yourpassword | password_hash('sha512') }}" -u myuser --ask-sudo-pass
Hope that help you
Create your shadow password (linux) with
python -c 'import crypt; print crypt.crypt("YourPassword", "$6$random_salt")'
create
update_pass.yml
execute your ansible-playbook with sudoer (bash)
ansible-playbook update_pass.yml --become --become-method='sudo' --ask-become-pass
Update password for a list of hosts using dynamic variables:
In your inventory file set a variable (pass) as the following:
ip_1# ansible_user=xxxxxx ansible_ssh_pass=xxxx ansible_sudo_pass=xxx pass='aaaa'
ip_2# ansible_user=xxxxxx ansible_ssh_pass=xxxx ansible_sudo_pass=xxx pass='bbbb'
Now in the playbook we make a backup of the shadow file and set cron task to restore the shadow file in case something went wrong than we update the password:
- hosts: your_hosts
gather_facts: no
tasks:
- name: backup shadow file
copy:
src: /etc/shadow
dest: /etc/shadaw.org
become: yes
- name: set cron for backup
cron:
name: restore shadow
hour: 'AT LEAST GIVE YOURSELF ONE HOUR TO BE ABLE TO CALL THIS OFF'
minute: *
job: "yes | cp /tmp/shadow /etc/"
become: yes
- name: generate hash pass
delegate_to: localhost
command: python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt('{{pass}}')"
register: hash
- debug:
var: hash.stdout
- name: update password
user:
name: xxxxxx
password: '{{hash.stdout}}'
become: yes
Now we create a new playbook to call off cron task we use the new password for authentication and if authentication failed cron will remain active and restore the old password.
hosts file:
ip_1# ansible_user=xxxxxx ansible_ssh_pass=aaaa ansible_sudo_pass=aaaa
ip_2# ansible_user=xxxxxx ansible_ssh_pass=bbbb ansible_sudo_pass=bbbb
the playbook:
- hosts: your_hosts
gather_facts: no
tasks:
- name: cancel cron task
cron:
name: restore shadow
state: absent
!!Remember:
pass variable contain your password so you may consider using vault.
Give yourself time when setting cron for backup to be able to call it of (second playbook).
In worst case cron will restore the original password.
You need to have passlib installed in your ansible server.
Related
If I run the below command directly in terminal, kubectl is getting enabled. If I use the same command with shell module in Ansible playbook, its executing but its not doing its job of enabling the kubectl.
export KUBECONFIG="/etc/rancher/rke2/rke2.yaml" \
&& export PATH="$PATH:/usr/local/bin:/var/lib/rancher/rke2/bin"
Ansible playbook
---
- name: Copy installer
hosts: FIRST_SERVER
gather_facts: yes
ignore_unreachable: true
any_errors_fatal: true
tasks:
- name: Execute enable kubectl on primary server
when: inventory_hostname in groups['FIRST_SERVER']
shell: |
set -o pipefail
export KUBECONFIG="/etc/rancher/rke2/rke2.yaml"
export PATH="$PATH:/usr/local/bin:/var/lib/rancher/rke2/bin"
args:
executable: /bin/bash
become: yes
Please suggest.
Your example is setting remote environment variables for the task temporary only.
For certain servers I am the following approach of
What do the scripts in /etc/profile.d do?
by using
- name: Provide environment variable script file
template:
src: "{{ item }}.j2"
dest: "/etc/profile.d/{{ item }}"
with_items:
- "environment.sh"
and in example
# /etc/profile.d/environment.sh
export ACCOUNT=$(who am i | cut -d " " -f 1)
export DOMAIN=$(hostname | cut -d "." -f 2-4)
Further Q&A
"Scripts placed in ... get sourced on login"
How to set an environment variable during package installation?
By doing this I am able to set persistent environment variables for specific software and services.
I can't write to /etc with successful privilege escalation using become. I can however write to it directly from the host so sounds like become isn't behaving as expected.
Playbook (I've omitted other tasks for brevity but all tasks in this playbook require escalation to postgres user and are successful)
- name: Playbook Control
hosts: all
become: yes
become_user: postgres
tasks:
- name: Debug Perms
shell: ls -lrt /etc/pgbackrest.conf
- name: Initialize pgbackrest.conf
copy:
src: pgbackrest_init
dest: /etc/pgbackrest.conf
Inventory
hostname.net
[all:vars]
ansible_connection=ssh
ansible_user=pg_deployment
Playbook Command
ansible-playbook -vvv --vault-password-file=.vault_pw -i hosts/hosts playbook_control.yml
Using vault to store pg_deployment ssh password.
Debug Perms Output
"stdout": "-rw-r--r-- 1 postgres postgres 82 Aug 24 2021 /etc/pgbackrest.conf"
Initialize pgbackrest.conf Output
"msg": "Destination /etc not writable"
In the -vvv block preceding the task Initialize pgbackrest.conf, I see escalation succeeded.
I'm new to ansible and trying to create new user with encrypted password using ansible-vault. The taget system is OpenBsd, and I'm using ansible 2.10 on Ubuntu 20.04
.
The "problem" is once the playbook finished, I get this message in output
"passord": "NOT_LOGGING_PASSWORD" and the password is not set/update.
I first create and edit my vault file using ansble-vault.
Content of my vault file:
user_pass: pass
Here is my playbook:
- name: Add new user
hosts: all
vars_files:
- "../vars/pass.yml"
tasks:
- name: Add regular user
user:
name: foo
update_password: always
password: "{{ vault_user_pass | password_hash('sha512') }}"
create_home: yes
shell: /bin/sh
generate_ssh_key: yes
ssh_key_type: rsa
ssh_key_bits: 2048
ssh_key_passphrase: ''
become_user: root
Do you have any idea why the password is not set/update ? I tried to print the vault variable to check if var is readable or not, using debug module and yes, it is. The user is created but with another password. I also tried to hash the password using mkpasswd but same results.
If you need further informations, don't hesitate :).
Thank you in advance.
The variable name is user_pass, even though your variable is in a vault file you don't need to use the vault prefix.
Try as below
- name: Add new user
hosts: all
vars_files:
- "../vars/pass.yml"
tasks:
- name: Add regular user
user:
name: foo
update_password: always
password: "{{ user_pass | password_hash('sha512') }}"
create_home: yes
shell: /bin/sh
generate_ssh_key: yes
ssh_key_type: rsa
ssh_key_bits: 2048
ssh_key_passphrase: ''
become_user: root
How do you add a sudo password to a delegated host?
eg.
hosts: host1
- name: Some remote command
command: sudo some command
register: result
delegate_to: host2
become: yes
I get "Incorrect sudo password" because I assume it is using the sudo pass for host1. Is there a way to make it use a different password?
It has been a while - but I was struggling with this as well and managed to solve it so here is a summarized answer:
As pointed out correctly the issue is that the ansible_become_password variable is set to to your original host (host1) when running the delegated task on host2.
Option 1: Add become password to inventory and delegate facts
One option to solve this is to specify the become password for host2 in your inventory, and secure it using ansible vault (as they have done here: How to specify become password for tasks delegated to localhost). Then you should be able to trigger using the correct sudo pw with delegate_facts as they did here Ansible delegate_to "Incorrect sudo password".
Option 2: Prompt and overwrite pass manually
If you prefer to get prompted for the second sudo password instead, you can do this by using a vars_promt to specify the second sudo pw during runtime:
- hosts: host1
vars_prompt:
- name: custom_become_pass
prompt: enter the custom become password for host2
private: yes
tasks:
...
Then you can just replace the variable ansible_become_password before running your delegated tasks and it will use the correct sudo password:
tasks:
- name: do stuff on host1
...
- name: set custom become
set_fact:
ansible_become_password: '{{ custom_become_pass }}'
- name: perform delegated task
command: sudo some command
register: result
delegate_to: host2
become: yes
You could try to use ansible_become_password variable directly inside the task's var section.
Ansible doc
I need to make the script prompt for enable password after entering in unprivileged mode in cisco ios. So far this is what I have which works but I don't want to put my real "enable" password on anywhere on my computer.
---
- name: Basic Show Commands
hosts: cisco
gather_facts: False
connection: local
tasks:
- name: show run
ios_command:
commands:
- show run
provider:
authorize: yes
auth_pass: my_enable_password
register: show_run
- debug:
var: show_run.stdout_lines
- name: copy show run to file
local_action: copy content={{show_run.stdout[0]}} dest=/mnt/c/Ansible/show_run
I run the playbook as follows:
ansible-playbook -u my_username -k /mnt/c/Ansible/show_run.yaml
How do I make this happen?
This is very old thread, but for the sake of someone new searching for the answer, I did this-
ansible-playbook -u my_username --ask-pass --ask-become-pass /mnt/c/Ansible/show_run.yaml
Also, in the host file,
[host_group:vars]
ansible_become=yes
ansible_become_method=enable
ansible_network_os=ios
An option "to make the script prompt for enable password" would be to use vars_prompt. See the example below
...
vars_prompt:
- name: "my_enable_password"
prompt: "Cisco auth_pass:"
tasks:
...