ansible command to change a host password

Yulia Chive

3 min read

·

08-12-2024

6

0

Share

Changing Host Passwords with Ansible: A Secure and Efficient Approach

Changing passwords across multiple servers can be a tedious and error-prone task. Ansible, a powerful automation tool, provides a secure and efficient way to manage this process. This article details the Ansible commands and best practices for securely changing host passwords. We'll cover both using the become method (recommended for most scenarios) and a less secure alternative.

Understanding the Security Implications

Before diving into the commands, it's crucial to understand the security implications. Hardcoding passwords directly into your Ansible playbooks is a significant security risk. Instead, we'll utilize Ansible's vault functionality to securely store sensitive information. This ensures your passwords are encrypted and protected.

Method 1: Using become and Ansible Vault (Recommended)

This method leverages Ansible's become functionality, allowing you to execute commands as the root user (or another privileged user) without directly embedding the password in your playbook. This is the recommended approach for its enhanced security.

1. Encrypting your Password with Ansible Vault:

First, you need to encrypt your password using Ansible Vault. This is done from your command line:

ansible-vault encrypt password.txt

Replace password.txt with the name of your file containing the new password. You'll be prompted to enter a password to protect your vault; keep this password secure. This creates an encrypted file, password.txt.j2.

2. Ansible Playbook:

Create an Ansible playbook (e.g., change_password.yml) with the following content:

---
- hosts: all
  become: true
  tasks:
    - name: Change password
      ansible.builtin.lineinfile:
        path: /etc/shadow  # Or the appropriate password file for your OS
        regexp: '^root:'
        line: "root:{{ lookup('file', 'password.txt.j2') | b64decode }}"
      become: true
      become_method: sudo # Or another appropriate method

    - name: Flush password caches.  Adjust commands based on your OS.
      ansible.builtin.command:
        cmd: "{{ item }}"
      loop:
        - "echo 3 > /proc/sys/fs/file-max"
        - "passwd -u root"
        - "sync"

This playbook uses the lineinfile module to modify the /etc/shadow file (adjust the path if necessary for your operating system and user). It replaces the existing root password line with the new password. We use b64decode to handle any potential encoding issues. Remember to adjust the become_method if needed. The final tasks clear password caches to ensure the changes take effect. Remember to replace /etc/shadow with the correct location for your system and user.

3. Running the Playbook:

Before running the playbook, make sure you've added the password.txt.j2 file to your Ansible project directory. Then, run it using:

ansible-vault decrypt password.txt.j2 | ansible-playbook change_password.yml

This decrypts the password file on the fly, executes the playbook, and then the password file is deleted.

Method 2: Using passwd Command (Less Secure – Avoid if Possible)

This method uses the passwd command directly within the playbook. This is significantly less secure than using Ansible Vault and is generally discouraged. Only use this method if you have a very specific reason and understand the risks involved.

---
- hosts: all
  become: true
  tasks:
    - name: Change password
      ansible.builtin.command:
        cmd: "echo 'new_password' | passwd --stdin root" #Extremely insecure, do not use in production.

Replace new_password with the desired password. This approach is highly vulnerable to security breaches; avoid it if at all possible.

Best Practices

• Use Ansible Vault: Always encrypt sensitive information using Ansible Vault.
• Principle of Least Privilege: Use the become functionality with the least privileged user necessary.
• Regular Password Rotation: Implement a system for regular password changes.
• Test Thoroughly: Test your playbooks in a development or staging environment before deploying to production.
• Version Control: Store your playbooks in a version control system (like Git) for tracking and auditing purposes.
• OS Specific Commands: Adapt commands like password cache clearing to your specific OS distribution.

By following these guidelines, you can leverage Ansible to efficiently and securely manage host passwords across your infrastructure. Remember that security should always be the top priority when automating tasks.