AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible Missing Sudo Password: Fix Passwordless SSH & Sudo Errors

By Luca Berton · Published 2024-01-01 · Category: installation

Fix Ansible 'missing sudo password' errors. Set up SSH key authentication, configure sudo NOPASSWD, use ansible_become_password.

Ansible Missing Sudo Password: Fix Passwordless SSH & Sudo Errors

Introduction

Today we're going to talk about Ansible troubleshooting and specifically about the "Fatal usermod: unlocking the user's password would result in a passwordless account." error. I'm Luca Berton and welcome to today's episode of Ansible Pilot.

See also: Ansible Vault Error: Fix 'Attempting to Decrypt but No Vault Secrets Found'

Playbook

The best way of talking about Ansible troubleshooting is to jump in a live Playbook to show you practically the usermod: unlocking the user's password would result in a passwordless account. error and how to solve it!

error code

• passwordless_error.yml 
---
- name: user module Playbook
  hosts: all
  become: true
  vars:
    myuser: "example"
  tasks:
    - name: create a disabled user
      ansible.builtin.user:
        name: "{{ myuser }}"
        state: present
        password_lock: true
- name: enable user
      ansible.builtin.user:
        name: "{{ myuser }}"
        state: present
        password_lock: false

See also: Ansible troubleshooting - Unhandled exception while executing module win_user

error verification

Verify no user example in the target system: 
$ ssh devops@demo.example.com
Last login: Tue Oct  5 09:35:24 2021 from 192.168.0.100
[devops@demo ~]$ sudo su -
Last login: Tue Oct  5 09:34:55 UTC 2021 on pts/0
[root@demo ~]# getent passwd | grep example
[root@demo ~]# exit
logout
[devops@demo ~]$ exit
logout

error execution

output 
$ ansible-playbook -i Playbook/inventory troubleshooting/passwordless_error.yml
PLAY [user module Playbook] ***************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [create a disabled user] *********************************************************************
changed: [demo.example.com]
TASK [enable user] ********************************************************************************
fatal: [demo.example.com]: FAILED! => {"changed": false, "msg": "usermod: unlocking the user's password would result in a passwordless account.\nYou should set a password with usermod -p to unlock this user's password.\n", "name": "example", "rc": 1}
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=2    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=

See also: Ansible troubleshooting - AWS Failed to import the required Python library (botocore or boto3)

fix code

• passwordless_fix.yml 
---
- name: user module Playbook
  hosts: all
  become: true
  vars:
    myuser: "example"
    mypassword: "password"
  tasks:
    - name: create a disabled user
      ansible.builtin.user:
        name: "{{ myuser }}"
        state: present
        password_lock: true
- name: enable user
      ansible.builtin.user:
        name: "{{ myuser }}"
        password: "{{ mypassword | password_hash('sha512') }}"
        state: present
        password_lock: false

fix execution

output

$ ansible-playbook -i Playbook/inventory troubleshooting/passwordless_fix.yml
PLAY [user module Playbook] ***************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [create a disabled user] *********************************************************************
ok: [demo.example.com]
TASK [enable user] ********************************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com           : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

fix verification

$ ssh devops@demo.example.com
Last login: Tue Oct  5 09:37:07 2021 from 192.168.0.100
[devops@demo ~]$ sudo su -
Last login: Tue Oct  5 09:35:42 UTC 2021 on pts/0
[root@demo ~]# getent passwd | grep example
example:x:1002:1002::/home/example:/bin/bash
[root@demo ~]# passwd -S example
example PS 2021-10-05 0 99999 7 -1 (Password set, SHA512 crypt.)
[root@demo ~]# grep example /etc/shadow
example:$6$kg63VBL5Hw3AwjQt$GSn.Z7h3/ipgaY2p0ypSrymLN/2.lhZnMeONjkiaYc5o7R6TkfHtPJyXmKqoW3IQxw6Udxb2khiJ8NCVo4QKM1:18905:0:99999:7:::

code with ❤️ in GitHub

Conclusion

Now you know better how to troubleshoot the error: "usermod: unlocking the user's password would result in a passwordless account".

The Error

fatal: [host]: UNREACHABLE! => {"msg": "Failed to connect to the host via ssh: 
Permission denied (publickey,password)."}

Or: 

fatal: [host]: FAILED! => {"msg": "Missing sudo password"}

Fix SSH Key Authentication

Generate and deploy key

# On controller
ssh-keygen -t ed25519 -f ~/.ssh/ansible_key

# Copy to remote host
ssh-copy-id -i ~/.ssh/ansible_key.pub user@remote-host

Configure in inventory

all:
  vars:
    ansible_user: deploy
    ansible_ssh_private_key_file: ~/.ssh/ansible_key

Fix Passwordless Sudo

Configure sudoers on remote

# Bootstrap playbook (run with --ask-become-pass first time)
- name: Configure passwordless sudo
  ansible.builtin.copy:
    content: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL"
    dest: "/etc/sudoers.d/{{ ansible_user }}"
    mode: '0440'
    validate: 'visudo -cf %s'
  become: true

Provide sudo password

# Interactive
ansible-playbook site.yml --ask-become-pass

# In inventory (encrypted)
ansible_become_password: "{{ vault_sudo_pass }}"

Complete Setup Playbook

---
- name: Bootstrap passwordless access
  hosts: new_servers
  become: true
  vars:
    deploy_user: deploy
  tasks:
    - name: Create deploy user
      ansible.builtin.user:
        name: "{{ deploy_user }}"
        shell: /bin/bash
        create_home: true

- name: Deploy SSH key
      ansible.posix.authorized_key:
        user: "{{ deploy_user }}"
        key: "{{ lookup('file', '~/.ssh/ansible_key.pub') }}"


- name: Configure passwordless sudo
      ansible.builtin.copy:
        content: "{{ deploy_user }} ALL=(ALL) NOPASSWD: ALL"
        dest: "/etc/sudoers.d/{{ deploy_user }}"
        mode: '0440'
        validate: 'visudo -cf %s'

Troubleshooting Checklist

# 1. Test SSH manually
ssh -i ~/.ssh/ansible_key deploy@remote-host

# 2. Check key permissions
ls -la ~/.ssh/ansible_key     # Should be 600
ls -la ~/.ssh/ansible_key.pub # Should be 644


# 3. Check remote authorized_keys
ssh deploy@host "cat ~/.ssh/authorized_keys"


# 4. Check sshd allows key auth
ssh deploy@host "grep PubkeyAuthentication /etc/ssh/sshd_config"


# 5. Test sudo
ssh deploy@host "sudo whoami"  # Should output: root

FAQ

"Permission denied (publickey)" — key exists but fails?

Check key file permissions: chmod 600 ~/.ssh/ansible_key Check ~/.ssh/ directory: chmod 700 ~/.ssh/ Check remote authorized_keys: chmod 600 ~/.ssh/authorized_keys Ensure sshd has PubkeyAuthentication yes

Account is locked (password expired)?

- ansible.builtin.user:
    name: deploy
    expires: -1  # Remove expiry
  become: true

How do I use password auth instead of keys?

# Install sshpass
sudo apt install sshpass

# Use --ask-pass
ansible-playbook site.yml --ask-pass --ask-become-pass

SSH keys are strongly recommended over password authentication.

Set Up Passwordless SSH

# Generate SSH key pair
ssh-keygen -t ed25519 -f ~/.ssh/ansible -N ""

# Copy to remote host
ssh-copy-id -i ~/.ssh/ansible.pub user@remote-host

Distribute SSH Key with Ansible

- name: Deploy SSH key
  ansible.builtin.authorized_key:
    user: deploy
    key: "{{ lookup('file', '~/.ssh/ansible.pub') }}"
    state: present
  become: true

Configure Passwordless Sudo

# On the remote host
- name: Allow deploy user passwordless sudo
  ansible.builtin.lineinfile:
    path: /etc/sudoers.d/deploy
    line: 'deploy ALL=(ALL) NOPASSWD: ALL'
    create: true
    mode: '0440'
    validate: 'visudo -cf %s'
  become: true

ansible.cfg for Key-Based Auth

[defaults]
remote_user = deploy
private_key_file = ~/.ssh/ansible
host_key_checking = false

[privilege_escalation]
become = true
become_method = sudo
become_ask_pass = false

Troubleshooting

"Permission denied (publickey)"

# Check key is loaded
ssh-agent bash
ssh-add ~/.ssh/ansible
ssh-add -l

# Test connection
ssh -i ~/.ssh/ansible -v deploy@remote-host


# Check remote authorized_keys permissions
# Must be:
# ~/.ssh/           → 700
# ~/.ssh/authorized_keys → 600

"Missing sudo password"

# Option 1: NOPASSWD in sudoers (recommended)
# deploy ALL=(ALL) NOPASSWD: ALL

# Option 2: Provide password
ansible-playbook site.yml --ask-become-pass


# Option 3: In inventory
[webservers:vars]
ansible_become_password="{{ vault_sudo_pass }}"

SSH Host Key Verification Failed

# ansible.cfg
[defaults]
host_key_checking = false

# Or environment variable
export ANSIBLE_HOST_KEY_CHECKING=False

Complete Setup Playbook

---
- name: Set up passwordless Ansible access
  hosts: all
  become: true
  vars:
    ansible_user: deploy
  tasks:
    - name: Create ansible user
      user:
        name: "{{ ansible_user }}"
        shell: /bin/bash
        create_home: true

- name: Deploy SSH key
      authorized_key:
        user: "{{ ansible_user }}"
        key: "{{ lookup('file', '~/.ssh/ansible.pub') }}"


- name: Set SSH directory permissions
      file:
        path: "/home/{{ ansible_user }}/.ssh"
        mode: '0700'
        owner: "{{ ansible_user }}"


- name: Configure passwordless sudo
      copy:
        content: "{{ ansible_user }} ALL=(ALL) NOPASSWD: ALL\n"
        dest: "/etc/sudoers.d/{{ ansible_user }}"
        mode: '0440'
        validate: 'visudo -cf %s'

Inventory Configuration

[webservers]
web1 ansible_host=10.0.1.10
web2 ansible_host=10.0.1.11

[webservers:vars]
ansible_user=deploy
ansible_ssh_private_key_file=~/.ssh/ansible
ansible_become=true
ansible_become_method=sudo

FAQ

Should I disable password auth on SSH?

Yes, for security. After deploying keys: 

- lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^#?PasswordAuthentication'
    line: 'PasswordAuthentication no'
  notify: restart sshd

Can I use different keys per host group?

Yes — set ansible_ssh_private_key_file per group in inventory or group_vars.

How do I rotate SSH keys?

Deploy the new key first, then remove the old one: 

- authorized_key:
    user: deploy
    key: "{{ new_key }}"
- authorized_key:
    user: deploy
    key: "{{ old_key }}"
    state: absent

Related Articles

become_user and become_method in Ansiblebuilding an Ansible inventorycreating an Ansible role from scratch

Category: installation

Watch the video: Ansible Missing Sudo Password: Fix Passwordless SSH & Sudo Errors — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home