Oct
15
2017

Ansible: How to set user passwords

 

I’m in the process of converting my Fabric PBX automated installation to an Ansible playbook, but I got stuck on the user module portion.  I want to pass a default password to user accounts.  Ansible’s user module requires the crypted SHA512 hash rather than taking a password.  In other words, instead of supplying a password, you must supply the key(or as they call it a “crypted value”).

I think requiring the “crypted value” is for security reasons, but I imagine if someone has access to the key they can brute force the password anyways.  Sometimes secure and inconvenient mean the same thing I guess!  In any case, the user module should itself generate the key or they should build the feature into ansible-vault.

I stumbled on the instructions provided on the Ansible website.   There were no clear examples of setting a default password on the Ansible user module page.  You would think that would be an obvious one.  There is a link to directions on the Ansible cryption FAQ suggest using ‘mkpasswd’.  However, on the system I use(Fedora 24) the command doesn’t have the ability to output SHA – 512  keys.   Another option presented is a Python 2.7 command that didn’t work for me either.  After some research and a little testing I found a solution.

 

Goals of this Post:

  • Create crypted user account password
  • Create credentials.yml – VARS FILE for password keys
  • Example of assigning a user module password in a playbook
  • Execute Ansible play and test

 

 

Create crypted user account password

Below is the Python3 code that worked for me.  Change the ‘MyAdminPass’ and ‘MyUserPass’ to your desired default password that Ansible should check.  Keep the terminal window open.  Copy the resulting key and past it into a vars_file we will create in the next step. 

[matt@mattcom1 Desktop]$ python3 -c ‘import crypt; print(crypt.crypt(“MyAdminPass”, crypt.mksalt(crypt.METHOD_SHA512)))’
$6$MK4kULUtU1ME71TH$m3FeQe0drrwttOHG1c9Bg0uyJ/OFzAbVzi7QG65dgaeSAPteha/fBo2buts1uEJCqbdEY1HlbYCAEH7UKRqDY1

[matt@mattcom1 Desktop]$ python3 -c ‘import crypt; print(crypt.crypt(“MyUserPass”, crypt.mksalt(crypt.METHOD_SHA512)))’
$6$oYOqvV3gd7xFNYDq$s77CxR99pI2haTgS8oR/Vo8CguY9KBJ4.4lFYws9Nz9qrQp4baT9ehLqjsrp4GaGb2t1vEg6KVMtXnNM/VDTw/

This produces the following passwords for Linux accounts: ‘MyAdminPass’ and ‘MyUserPass’.  Please Note:  I deliberately change these keys so you cannot ‘cut & paste’!  Please change the passwords above and run the code yourself!

 

Create credentials.yml

This is just a standard YAML file for tracking variables in Ansible.  In this case we are tracing ‘crypted values’ of a SHA-512 passwords.  We can call these variable by including it as a var_file in the our playbook. 

Ansible vars_file
credentials.yml:

 

 

Example of assigning a user module password

Below is a playbook calling the user module.  The important part below is the inclusion of the VARS_FILE file, ‘credentials.yml’,which contains variables representing our cryption values.  Remember to define ‘vars_files:’ with YAML or Python list notation.  Example: vars_files: [‘credentials.yml’] orvars_files: [‘credentials.yml’, ‘apache-vars.yml’].

Once the ‘vars_files’ parameter is set include the appropriate variable for the user.  In the example below I created two default passwords.  One for the ‘admin’ account and another for standard user accounts like ‘bsmith’ and ‘tlopez’. 

Ansible Playbook
savelono-users.yml: 

 

 

Execute Ansible play and test

Now Lets run our playbook.

ansible-playbook -i playbooks/hosts playbooks/savelono-users.yml

Here is screenshot of the output from ‘ansible-playbook’

As you can see below all the default users are listed with correct passwords, ”MyUserPass’ and “MyAdminPass”‘

 

In my next article we will cover encrypting/decryption of the ‘credentials.yml’ we created today using the ansible-vault utility.  Thank you for reading, I hope I was able to help!





No Comments »

RSS feed for comments on this post. TrackBack URL

Leave a comment