ansible.builtin.user: Change User Password with Ansible (Secure Guide) — Video Tutorial

Introduction In today's episode of Ansible Pilot, I'm Luca Berton, and we'll be delving into the process of changing a user password on a Linux system using Ansible. Specifically, we'll be utilizing the `ansible.builtin.user` module, an integral part of Ansible's collection of built-in modules. The Ansible User Module The `ansible.builtin.user` module is a stable and well-established component of Ansible, designed to manage user accounts. It boasts compatibility with a wide range of Linux distributions, including RHEL, CentOS, Fedora, Ubuntu, Debian, SUSE, as well as SunOS, macOS, and FreeBSD. For Windows systems, the equivalent module is `ansible.windows.win_user`. Parameters The `user` module comes with various parameters, but the three key ones for our password-changing task are: - **name (string):** Specifies the username. - **state (string):** Indicates the desired state of the user account (present or absent). - **password (string):** For Linux systems, the password must be provided in encrypted form, while macOS accepts cleartext passwords. Writing the Ansible Playbook Let's take a practical approach by crafting an Ansible Playbook that changes the password for a user account on a Linux system. Ansible Playbook Code: `change_password.yml` ```yaml --- - name: user module Playbook hosts: all become: true vars: myuser: "example" mypassword: "password" tasks: - name: change password ansible.builtin.user: name: "{{ myuser }}" state: present password: "{{ mypassword | password_hash('sha512') }}" ``` Executing the Playbook To execute the playbook, use the following command: ```bash $ ansible-playbook -i Playbook/inventory change\ user\ password/user.yaml ``` output ```bash $ ansible-playbook -i Playbook/inventory change\ user\ password/user.yaml PLAY [user module Playbook] *************************************************************************** TASK [Gathering Facts] **************************************************************************** ok: [demo.example.com] TASK [change password] **************************************************************************** changed: [demo.example.com] PLAY RECAP **************************************************************************************** demo.example.com : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 ``` Verification You can verify the password change by attempting to SSH into the system with the updated credentials: ```bash $ sshpass -p 'password' example@demo.example.com ``` **Note:** Ensure that `sshpass` is installed on the system for this verification step. Conclusion In conclusion, you now possess the knowledge to change a user password on a Linux system using Ansible. The `ansible.builtin.user` module simplifies this task, allowing for seamless automation of user account management. Set User Password Ansible requires **hashed** passwords (not plaintext): `