If you're ok with Ansible generating the password for you then storing it
on the machine you ran the playbook from, then the `password` plugin might
help a bit.
Assuming you have an inventory of servers and you're OK with saving the
latest password to "/tmp/root.password.hostname.txt", I believe something
like this will do what you're looking for:
- name: Force new root password
user:
name: root
password: "{{ lookup('password', '/tmp/root.password.{{ inventory_hostname
}}.txt length=60 chars=ascii_letters,digits,punctuation') |
password_hash('sha512', 1000000 | random(seed=inventory_hostname) | string ) }}"
update_password: always
This will generate a random password of ASCII letters, digits and
punctuation, the password will be 60 characters long, and the plain-text of
it will be stored in /tmp/root.password.{hostname}.txt for each system.
The "password_hash()" modifier on the "password:" line hashes the password
so the "user:" module can use it. It also assumes that the system getting
the new password can handle SHA512 passwords. It also uses the
"inventory_hostname" to ensure that the hashed password is idempotent
between runs. The "1000000|...|string" uses the name of the system being
worked on as a random seed and picks a pseudo-random value to use for the
password hash.
NOTE: The first time this is run, the /tmp/root.password.{hostname}.txt
file is created and used. The next time you run it, since that file exists
it will re-use that raw password and not change it. To change the root
password of that server, either delete the file and a new random password
will be assigned, or create your own password and put it in this file.
On Tuesday, September 17, 2019 at 11:36:25 AM UTC-5, Deepan M wrote:
>
> Hi,
>
> manually login to each servers and setting root password, login to
> server1, set password "password123" ; then login to server2 set
> password "redhat123" like this i'm looking for ansible playbook, where i
> can automate for 100+servers.
>
> Idea looking forward:-
> 1, Random password needs to be generated.
> 2, on each server, root user password should be reset by picking up from
> random password.
>
> Note:- For security reason, we are resetting root password on monthly
> basis and those password should be generated randomly and reset.
>
> Thanks,
> Deepan M
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/ce3b0a8d-a359-4a07-949f-9a65633fa7d2%40googlegroups.com.
