top of page
Recent Posts
Search
Writer's pictureZakir
Aug 17, 20202 min read

Predefined password change on multiple host at a time using Ansible

Updated: Oct 3, 2021

Password change is a regular activities as well as its mandatory by several compliance such as PCI DSS, GDPR, NIST etc. To change of multiple users password at a time Its nightmare also time consuming task for system admin. To make IT people life easier i create a playbook to change multiple users password on several hosts at a time.


Follow the below procedure:


Add hosts into inventory file

# vim /etc/ansible/hosts

# Add below lines at the end of the hosts files

[dbservers]
192.168.10.37
192.168.10.42
:wq

Create playbook file

# cd /etc/ansible/playbooks


Create encrypted password

# echo 'import crypt,getpass; print crypt.crypt(getpass.getpass(), "$6$YOURSALT")' | python -

I will use above encrypted password into playbook file.


# vim password-change.yaml

- hosts: dbservers
  become: yes
  become_user: root
  become_method: sudo
  remote_user: sys-admin

  vars:
  ora_pass_1037: '$6$YOURSALT$1qZi8D5mykvt9Jxh8BKPur9LZZ1rNjLoZNa966YsmR7f..MzF1X02DhprqKmZhrmm8Bv8ermqdvx3I8lhtYAy'  
  ora_pass_1042: '$6$YOURSALT$rFuT5lncRmkHvOb76uXOspJFRXjsRnsXglsXfCew8buMdCjw8IBJ.0rwa.yIQ1CllnPNAfcXz4A7rbFAIMaI/.'

  tasks:
    - name: Change test user password of 192.168.10.37
      action: user name=test update_password=always password="{{ora_pass_1037}}"
      when: inventory_hostname == "192.168.10.37"

    - name: Change test user password of 192.168.10.42
      action: user name=test update_password=always password="{{ora_pass_1042}}"
      when: inventory_hostname == "192.168.10.42"

Explanation of playbook file:

hosts: dbservers

Here dbservers is the group name that declare into inventory file.

become: yes
become_user: root
become_method: sudo

Above 3 line will execute the playbook as a root.

remote_user: sys-admin

Here sys-admin is a central user. This could be local user or IPA user. If sys-admin users is the local then sudoers entry must required for each host.

# visudo
User_Alias ADMINS = sys-admin
ADMINS  ALL=(ALL)       ALL

If the sys-admin user is an IPA user then above configuration is not required. I will try to give a post where I will show how the "IPA" user can be used in the ansible playbook.


Now its time to run the playbook:

# cd /etc/ansible/playbooks
# ansible-playbook -l dbservers password-change.yaml -k -K -v

If everything is ok then password will be change successfully.


That's it.

Hope this will help.



376 views0 comments

Recent Posts

See All

Comments

Log In to Connect With Members
View and follow other members, leave comments & more.
bottom of page