AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,100 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example" published by Apress, and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible Change User Password: Secure Password Management Guide

By Luca Berton · Published 2024-01-01 · Category: installation

How to change user passwords with Ansible. Use password_hash, vault encryption, and user module to manage passwords securely on Linux and Windows.

How to Change a User Password with Ansible

Welcome to another episode of Ansible Pilot! I'm Luca Berton, and in today's session, we'll explore how to change a user password using Ansible. The Ansible module we'll be focusing on is ansible.builtin.user, a stable and well-established module that comes bundled with Ansible. It's designed to manage user accounts on various Linux distributions, SunOS, macOS, and FreeBSD.

Understanding the Ansible user Module

The ansible.builtin.user module falls under the "builtin" collection of Ansible modules, indicating its integral nature within the Ansible framework. This module has been around for years and proves reliable in handling user accounts across a wide range of operating systems. For Windows environments, the equivalent module is ansible.windows.win_user.

Key Parameters

The user module offers a plethora of parameters to cater to various user management tasks. Here are some key parameters: • name (string): Specifies the username. • state (string): Indicates whether the user should be present or absent. • password (string): For Linux, the password must be encrypted; for macOS, it can be in cleartext.

The only mandatory parameter is "name" since it denotes the username. The "state" parameter is crucial and should be set to "present" when changing the password, as it ensures the account exists. The most significant parameter is "password," allowing you to set the new password. For macOS, the password is in cleartext, while for Linux, it must be encrypted. The password_hash filter can be used to generate an encrypted password. Optionally, you can specify the encryption algorithm and salt to enhance password security.

Live Demo: Changing a User Password in Linux

Let's dive into a practical Ansible playbook to Playbooknstrate changing a user account password in a Linux environment.

Ansible Playbook Code • change_password.yml

Playbook Execution Output

Verification

Note: Ensure that the sshpass utility is installed on the system.

Conclusion

Congratulations! You've successfully learned how to change a user password using Ansible. The ansible.builtin.user module provides a robust and versatile solution for managing user accounts. Feel free to customize the playbook to suit your environment and security requirements. Happy automating!

Linux: Change Password

Using Ansible Vault

Bulk Password Reset

Force Password Change at Next Login

Windows Password

Generate Random Password

Password Hash Methods

| Algorithm | Filter | Security | |-----------|--------|----------| | SHA-512 | password_hash('sha512') | Recommended | | SHA-256 | password_hash('sha256') | Good | | MD5 | password_hash('md5') | Weak — avoid | | bcrypt | password_hash('bcrypt') | Strong (needs passlib) |

Set Password Expiry

FAQ

Why must I hash the password?

The Linux user module expects a pre-hashed password (like /etc/shadow format). Without hashing, the literal string becomes the hash, and login fails.

How do I check if a password works?

update_password: always vs on_create? • always: Changes password every run (ensures compliance) • on_create: Only sets password when creating the user

How do I avoid showing passwords in logs?

Always use no_log: true on tasks handling passwords.

Set Password (Linux)

Set Password from Vault

Set Password with Salt

Change Multiple User Passwords

Force Password Change on Next Login

Set Password Expiry

Generate Random Password

Windows Password

Using chpasswd (Alternative)

Common Mistakes

FAQ

Why does the task always show "changed"?

Without a static salt, password_hash generates a different hash each run. Add a salt: password_hash('sha512', 'mysalt').

How do I verify the password was set?

Can I use bcrypt instead of SHA-512?

Yes: password_hash('blowfish'). Requires passlib Python library on the controller.

Related ArticlesAnsible Become GuideAnsible Inventory GuideAnsible for Windows Guide

Category: installation

Watch the video: Ansible Change User Password: Secure Password Management Guide — Video Tutorial

Browse all Ansible tutorials · AnsiblePilot Home