Disable user account - Ansible module user

Disable user account

Ansible module user

How to disable a user account with Ansible?

I’m going to show you a live demo with some simple Ansible code. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.

Ansible disable user account

Today we’re talking about the Ansible module user. The full name is ansible.builtin.user, which means that is part of the collection of modules “builtin” with ansible and shipped with it. It’s a module pretty stable and out for years, it manages user accounts. It supports a huge variety of Linux distributions, SunOS and macOS, and FreeBSD. For Windows, use the ansible.windows.win_user module instead.

Parameters

• name string - username
• state string - present/absent
• password_lock boolean - no/yes
• shell string - “/sbin/nologin”

This module has many parameters to perform any task. The only required is “name”, which is the username. The parameter “state” allows us to create or delete a user. The “password_lock” parameter specifies to lock the user password. This parameter uses the passwd tool on Linux systems to disables a password by changing it to a value that matches no possible encrypted value (it adds a ´!´ at the beginning of the password). This parameter does not disable the user, only locks the password. This parameter does not always mean the user cannot log in using other methods. The “shell” parameter specifies the user shell. A very special is the nologin. When a user with that shell logs in, they’ll get a polite message saying ‘This account is currently not available.’ This message can be customized with the file /etc/nologin.txt.

demo

Let’s jump into a real-life Ansible Playbook to disable a user.

• user_disable.yml

---
- name: user module demo
  hosts: all
  become: true
  vars:
    myuser: "example"
  tasks:
    - name: disable user
      ansible.builtin.user:
        name: "{{ myuser }}"
        state: present
        password_lock: true
        shell: "/sbin/nologin"

output

$ ansible-playbook -i demo/inventory disable\ user\ account/user.yml

PLAY [user module demo] ***************************************************************************

TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]

TASK [disable user] *******************************************************************************
changed: [demo.example.com]

PLAY RECAP ****************************************************************************************
demo.example.com           : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

verification

$ ssh [email protected]
$ sudo su -
[[email protected] ~]# getent passwd
example:x:1002:1002::/home/example:/sbin/nologin
[[email protected] ~]# passwd -S example
example LK 2021-09-30 0 99999 7 -1 (Password locked.)
[[email protected] ~]# grep example /etc/shadow
example:!!:18900:0:99999:7:::

code with ❤️ in GitHub

Recap

Now you know how to disable a user account with Ansible. Subscribe to the YouTube channel, Medium, Website and Twitter to not miss the next episode of the Ansible Pilot.

Donate

Want to keep this project going? Please donate

Patreon Buy me a Pizza