以没有 sudo 权限的非 root 用户身份连接时,使用 Ansible playbook 脚本更改 linux 密码
[英]Change linux password with Ansible playbook script when connecting as a non-root user without sudo privileges
问题描述
I am trying to change password for a non-root Linux user from Ansible playbook.
我正在尝试从 Ansible playbook 更改非 root Linux 用户的密码。 To do so I tried to follow this link为此,我尝试按照此链接进行操作
Following the instruction I can successfully change the password of a non-root user by typing the code below in the terminal.按照说明,我可以通过在终端中输入以下代码成功更改非 root 用户的密码。
$ echo -e "your_current_pass\nlinuxpassword\nlinuxpassword" | passwd
Changing password for testuser.
(current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
After that I am trying to automate the code with an Ansible playbook like below,之后,我尝试使用如下所示的 Ansible playbook 自动化代码,
---
- hosts: all
gather_facts: no
tasks:
- name: "Check if user exists"
register: user1_exists
raw: getent passwd {{ ansible_user }}
ignore_errors: true
- name: "Change {{ ansible_user }} password"
raw: echo -e "my_current_pass\nmy_new_pass\nmy_new_pass" | passwd
when: user1_exists|success
I am using the raw module of Ansible here as most of my machines don't have Python installed.我在这里使用 Ansible 的原始模块,因为我的大多数机器都没有安装 Python。 I do not have superuser (sudo) permission either to use become: True in playbook.我也没有superuser (sudo)权限在 playbook 中使用become: True 。
Also using password based authentication here to run the Ansible playbook on target machine.此处还使用基于密码的身份验证在目标机器上运行 Ansible playbook。 Not ssh based authentication.不是基于 ssh 的身份验证。
But while I am executing the playbook I am getting this error,但是当我执行剧本时,我收到了这个错误,
TASK [change user1 password] ***************************************************
fatal: [192.168.0.57]: FAILED! => {"changed": true, "failed": true, "rc": 10,
"stderr": "Shared connection to 192.168.0.57 closed.\r\n", "stdout": "Changing
password for testuser.\r\n(current) UNIX password: passwd: Authentication
token manipulation error\r\npasswd: password unchanged\r\n", "stdout_lines":
["Changing password for testuser.", "(current) UNIX password: passwd:
Authentication token manipulation error", "passwd: password unchanged"]}
Could anyone show me the mistakes I am making here?谁能告诉我我在这里犯的错误?
3 个解决方案
解决方案1
6 2017-08-31 20:06:36
Use the built-in user module instead of a shell command.使用内置用户模块而不是 shell 命令。 This requires become: True in your playbook.这需要become: True在您的剧本中为become: True 。 Note that the password parameter of the user module requires an encrypted value.请注意,用户模块的password参数需要加密值。 The password_hash jinja filter will help you there. password_hash jinja 过滤器将帮助你。
- name: change user's password
user:
name: foo
password: "{{ 'passwordsaresecret' | password_hash('sha512') }}"
解决方案2
1 2020-10-22 22:15:36
Your playbook is almost correct.你的剧本几乎是正确的。 I had the same kind of requirement and I used your playbook.我有同样的要求,我使用了你的剧本。 There was just one mistake in your playbook, you forgot to enclose your password variables in '{{}}' braces.您的剧本中只有一个错误,您忘记将密码变量括在 '{{}}' 大括号中。 So I changed your playbook like below and it worked for me.所以我改变了你的剧本,如下所示,它对我有用。
hosts: all
gather_facts: no
tasks:
- name: "Check if user exists"
register: user1_exists
raw: getent passwd {{ ansible_user }}
ignore_errors: true
- name: "Change {{ ansible_user }} password"
raw: echo -e "{{ ansible_password }}\n{{newpwd}}\n{{newpwd}}" | passwd
when: user1_exists|success
解决方案3
0 2018-11-23 16:03:01
I've hacked together the following to solve this.我已经将以下内容组合在一起来解决这个问题。 The password's don't show in log or even verbose log '-vvvvv' and are not visible in history on remote systems:密码不会显示在日志中,甚至不会显示在详细日志“-vvvvv”中,并且在远程系统的历史记录中不可见:
---
- name: Change password when connecting as a non-root/non-sudoer user.
#
# Ansible's 'user' module can only change a password if it is ran as a root user or 'become' is used.
# For a non-root user, when you run 'passwd', it asks for current password before you can enter a new one.
# Workaround: Create a a temporary script that updates the password and run that script remoteley
# and use 'no_log' directive to prevent passwords being visible in any log.
# Tested that passwords not visible in verbose output '-vvvvv' and not in 'history' of remote computers.
# The temporary script is deleted remotley automatically by 'script' module.
# Note:
# New password must comply with your passwd security policy.
hosts: all
gather_facts: no
vars_prompt:
- name: "curr_pass"
prompt: Type in current password
private: yes
- name: "new_pass"
prompt: Type in new password
private: yes
confirm: yes
## If you need to *temporary* hard-code credentials, use below.
## Delete after use or use vault if you want long-term storage.
#vars:
#- curr_pass: MyOldPass
#- new_pass: MyNewPass123!!
tasks:
- name: Create a temporary local script which will change the users password
copy:
dest: updatePassNonRootDynamic.sh
content: echo -e '{{curr_pass}}\n{{new_pass}}\n{{new_pass}}' | passwd
delegate_to: localhost
no_log: True
run_once: true
- name: Change password via temporary script on all hosts
script: updatePassNonRootDynamic.sh
- name: Remove the temporary local script
file:
path: updatePassNonRootDynamic.sh
state: absent
delegate_to: localhost
run_once: true
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.