Ansible Change User Password: Secure Password Management Guide
By Luca Berton · Published 2024-01-01 · Category: installation
How to change user passwords with Ansible. Use password_hash, vault encryption, and user module to manage passwords securely on Linux and Windows.
How to Change a User Password with Ansible
Welcome to another episode of Ansible Pilot! I'm Luca Berton, and in today's session, we'll explore how to change a user password using Ansible. The Ansible module we'll be focusing on is ansible.builtin.user, a stable and well-established module that comes bundled with Ansible. It's designed to manage user accounts on various Linux distributions, SunOS, macOS, and FreeBSD.
See also: ansible.builtin.user: Change User Password with Ansible (Secure Guide)
Understanding the Ansible user Module
The ansible.builtin.user module falls under the "builtin" collection of Ansible modules, indicating its integral nature within the Ansible framework. This module has been around for years and proves reliable in handling user accounts across a wide range of operating systems. For Windows environments, the equivalent module is ansible.windows.win_user.
Key Parameters
The user module offers a plethora of parameters to cater to various user management tasks. Here are some key parameters:
• name (string): Specifies the username.
• state (string): Indicates whether the user should be present or absent.
• password (string): For Linux, the password must be encrypted; for macOS, it can be in cleartext.
The only mandatory parameter is "name" since it denotes the username. The "state" parameter is crucial and should be set to "present" when changing the password, as it ensures the account exists. The most significant parameter is "password," allowing you to set the new password. For macOS, the password is in cleartext, while for Linux, it must be encrypted. The password_hash filter can be used to generate an encrypted password. Optionally, you can specify the encryption algorithm and salt to enhance password security.
See also: Add Secondary Groups to Linux Users with Ansible Playbook
Live Demo: Changing a User Password in Linux
Let's dive into a practical Ansible playbook to Playbooknstrate changing a user account password in a Linux environment.
Ansible Playbook Code
•change_password.yml
---
- name: user module Playbook
hosts: all
become: true
vars:
myuser: "example"
mypassword: "password"
tasks:
- name: change password
ansible.builtin.user:
name: "{{ myuser }}"
state: present
password: "{{ mypassword | password_hash('sha512') }}"Playbook Execution Output
$ ansible-playbook -i Playbook/inventory change\ user\ password/user.yaml
PLAY [user module Playbook] ***************************************************************************
TASK [Gathering Facts] ****************************************************************************
ok: [demo.example.com]
TASK [change password] ****************************************************************************
changed: [demo.example.com]
PLAY RECAP ****************************************************************************************
demo.example.com : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0Verification
$ sshpass -p 'password' example@demo.example.comNote: Ensure that the sshpass utility is installed on the system.
Conclusion
Congratulations! You've successfully learned how to change a user password using Ansible. The ansible.builtin.user module provides a robust and versatile solution for managing user accounts. Feel free to customize the playbook to suit your environment and security requirements. Happy automating!
See also: Ansible Linux Users and Groups: Complete Management Guide (Examples)
Linux: Change Password
- name: Change user password
ansible.builtin.user:
name: john
password: "{{ 'MySecurePass123!' | password_hash('sha512') }}"
update_password: always
become: trueUsing Ansible Vault
# Create vault: ansible-vault create vault.yml
# vault.yml
user_password: "MySecurePass123!"- name: Change password from vault
ansible.builtin.user:
name: john
password: "{{ user_password | password_hash('sha512') }}"
become: trueansible-playbook site.yml --ask-vault-passBulk Password Reset
- name: Reset all user passwords
ansible.builtin.user:
name: "{{ item.name }}"
password: "{{ item.password | password_hash('sha512') }}"
update_password: always
loop: "{{ vault_users }}"
loop_control:
label: "{{ item.name }}"
no_log: true
become: trueForce Password Change at Next Login
- name: Set password and force change
ansible.builtin.user:
name: newuser
password: "{{ temp_password | password_hash('sha512') }}"
become: true
- name: Force password change at next login
ansible.builtin.command: chage -d 0 newuser
become: true
Windows Password
- name: Change Windows user password
ansible.windows.win_user:
name: john
password: "{{ vault_win_password }}"
update_password: always
no_log: trueGenerate Random Password
- name: Generate and set random password
ansible.builtin.user:
name: "{{ item }}"
password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits,punctuation') | password_hash('sha512') }}"
loop: [user1, user2, user3]
register: password_results
no_log: true
become: truePassword Hash Methods
| Algorithm | Filter | Security |
|-----------|--------|----------|
| SHA-512 | password_hash('sha512') | Recommended |
| SHA-256 | password_hash('sha256') | Good |
| MD5 | password_hash('md5') | Weak — avoid |
| bcrypt | password_hash('bcrypt') | Strong (needs passlib) |
Set Password Expiry
- name: Set password expiry to 90 days
ansible.builtin.command: >
chage -M 90 -W 14 -I 7 {{ username }}
become: trueFAQ
Why must I hash the password?
The Linux user module expects a pre-hashed password (like /etc/shadow format). Without hashing, the literal string becomes the hash, and login fails.
How do I check if a password works?
ansible host -m shell -a "echo 'password' | su - username -c whoami" -bupdate_password: always vs on_create?
•always: Changes password every run (ensures compliance)
• on_create: Only sets password when creating the user
How do I avoid showing passwords in logs?
Always use no_log: true on tasks handling passwords.
Set Password (Linux)
- ansible.builtin.user:
name: deploy
password: "{{ 'MySecurePass123' | password_hash('sha512') }}"
become: true
no_log: trueSet Password from Vault
# group_vars/all/vault.yml (encrypted)
vault_user_password: "SuperSecret123"
# playbook.yml
- user:
name: deploy
password: "{{ vault_user_password | password_hash('sha512') }}"
become: true
no_log: true
Set Password with Salt
- user:
name: deploy
password: "{{ password | password_hash('sha512', 'mystaticSALT') }}"
become: true
no_log: true
# Static salt ensures idempotency (same input = same hash)Change Multiple User Passwords
- vars:
users:
- { name: alice, password: "{{ vault_alice_pass }}" }
- { name: bob, password: "{{ vault_bob_pass }}" }
- { name: charlie, password: "{{ vault_charlie_pass }}" }
user:
name: "{{ item.name }}"
password: "{{ item.password | password_hash('sha512') }}"
loop: "{{ users }}"
become: true
no_log: trueForce Password Change on Next Login
- user:
name: newuser
password: "{{ temp_password | password_hash('sha512') }}"
become: true
no_log: true
- command: chage -d 0 newuser
become: true
Set Password Expiry
- user:
name: deploy
password: "{{ password | password_hash('sha512') }}"
password_expire_max: 90 # Max days between changes
password_expire_min: 7 # Min days between changes
become: true
no_log: trueGenerate Random Password
- set_fact:
generated_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits,punctuation') }}"
no_log: true
- user:
name: deploy
password: "{{ generated_password | password_hash('sha512') }}"
become: true
no_log: true
- debug:
msg: "Password for deploy has been set"
# Don't print the actual password!
Windows Password
- ansible.windows.win_user:
name: Administrator
password: "{{ vault_admin_password }}"
password_never_expires: true
no_log: trueUsing chpasswd (Alternative)
- shell: echo "{{ username }}:{{ password }}" | chpasswd
become: true
no_log: trueCommon Mistakes
# WRONG — plaintext password (not hashed)
- user:
name: deploy
password: "MyPassword123"
# This sets the password HASH to the literal string!
# WRONG — missing no_log
- user:
name: deploy
password: "{{ pass | password_hash('sha512') }}"
# Password hash visible in output!
# CORRECT
- user:
name: deploy
password: "{{ pass | password_hash('sha512') }}"
no_log: true
become: true
FAQ
Why does the task always show "changed"?
Without a static salt, password_hash generates a different hash each run. Add a salt: password_hash('sha512', 'mysalt').
How do I verify the password was set?
# On the remote host
sudo getent shadow usernameCan I use bcrypt instead of SHA-512?
Yes: password_hash('blowfish'). Requires passlib Python library on the controller.
Related Articles
• the Ansible become reference • how Ansible inventory works • managing Windows hosts with AnsibleCategory: installation
Watch the video: Ansible Change User Password: Secure Password Management Guide — Video Tutorial