If you're ok with Ansible generating the password for you then storing it
on the machine you ran the playbook from, then the `password` plugin might
help a bit.
Assuming you have an inventory of servers and you're OK with saving the
latest password to "/tmp/root.password.hostname.txt", I believe something
like this will do what you're looking for:
- name: Force new root password
user:
name: root
password: "{{ lookup('password', '/tmp/root.password.{{ inventory_hostname
}}.txt length=60 chars=ascii_letters,digits,punctuation') |
password_hash('sha512', 1000000 | random(seed=inventory_hostname) | string ) }}"
update_password: always
This will generate a random password of ASCII letters, digits and
punctuation, the password will be 60 characters long, and the plain-text of
it will be stored in /tmp/root.password.{hostname}.txt for each system.
The "password_hash()" modifier on the "password:" line hashes the password
so the "user:" module can use it. It also assumes that the system getting
the new password can handle SHA512 passwords. It also uses the
"inventory_hostname" to ensure that the hashed password is idempotent
between runs. The "1000000|...|string" uses the name of the system being
worked on as a random seed and picks a pseudo-random value to use for the
password hash.
NOTE: The first time this is run, the /tmp/root.password.{hostname}.txt
file is created and used. The next time you run it, since that file exists
it will re-use that raw password and not change it. To change the root
password of that server, either delete the file and a new random password
will be assigned, or create your own password and put it in this file.
On Tuesday, September 17, 2019 at 11:36:25 AM UTC-5, Deepan M wrote:
>
> Hi,
>
> manually login to each servers and setting root password, login to
> server1, set password "password123" ; then login to server2 set
> password "redhat123" like this i'm looking for ansible playbook, where i
> can automate for 100+servers.
>
> Idea looking forward:-
> 1, Random password needs to be generated.
> 2, on each server, root user password should be reset by picking up from
> random password.
>
> Note:- For security reason, we are resetting root password on monthly
> basis and those password should be generated randomly and reset.
>
> Thanks,
> Deepan M
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/ce3b0a8d-a359-4a07-949f-9a65633fa7d2%40googlegroups.com.
