在 playbook 中更改 ansible 用户的通行证

Question

I'm pretty new and trying to learn ansible by creating playbooks, so sorry if the question is dumb and I just missed something really evident.

What I am trying to do:

• a vm is created, linux installed, temporary user is created during install with a simple password
• ansible playbook is run, tries to login with the "proper" admin user and pass/key, if it fails tries the temporary user and pass
• if it logins then proceed with the rest of the playbook adding the admin user/pass/key and configure ssh.

I don't seem to be able to do it, I tried a lot of google and a lot of different approaches to no avail, any help is welcome. Meanwhile here's the latest try and the error I get:

- name: "Configure SSH on newly provisioned Linux machine"
hosts: all
gather_facts: no
become: yes
vars:
  sshd_config: "/etc/ssh/sshd_config"
vars_files:
- provision-ssh/vault.yml

tasks:
- name: Check SSH Connection
  wait_for_connection:
    timeout: 5
  ignore_errors: true
  register: _ssh_default_login

- name: If SSH Failed, set temporary password
  set_fact:
    ansible_password: "{{ tmp_pass }}"
    ansible_ssh_password: "{{ tmp_pass }}"
    ansible_become_password: "{{ tmp_pass }}"
  ignore_errors: true
  register: _ssh_user_provision
  when: 
    - _ssh_default_login is failed

- name: Check SSH Connection with temp password
  wait_for_connection:
    timeout: 5
  register: _ssh_temp_login
  when: 
   - _ssh_user_provision is succeeded
- name: "Create user accounts and add to groups"
  #no_log: yes
  become: yes
  user:
    name: "{{ item.username }}"
    password: "{{ item.password | password_hash('sha512', item.salt ) }}"
    groups: "{{ item.groups }}"
    state: present
    append: yes
  loop: "{{ users|flatten(levels=1) }}"
  loop_control:
    label: "{{item.username}}"

- name: "Add authorized keys"
  authorized_key:
    user: "{{ item.username }}"
    key: "{{ lookup('file', 'provision-ssh/'+ item.username + '.key.pub') }}"
  register: add_identity_key
  loop: "{{ users|flatten(levels=1) }}"
  loop_control:
    label: "{{item.username}}"

- name: "Disable root login via SSH"
  lineinfile:
    dest: "{{ sshd_config }}" 
    regexp: "^PermitRootLogin"
    line: "PermitRootLogin no"
  notify: "Restart sshd"

- name: Disable empty password login
  lineinfile: 
    dest: "{{ sshd_config }}" 
    regexp: '^#?PermitEmptyPasswords' 
    line: 'PermitEmptyPasswords no'
  notify: "Restart sshd"

- name: Disable password login
  lineinfile: 
    dest: "{{ sshd_config }}" 
    regexp: '^(#\s*)?PasswordAuthentication '
    line: 'PasswordAuthentication no'
  when: 
    - add_identity_key is succeeded 
    - not add_identity_key is skipped
  notify: Restart sshd

handlers:
- name: "Restart sshd"
  service:
    name: "sshd"
    state: "restarted"

And the error with some editing since I removed the no_log and spews passwords:

PLAY [Configure SSH on newly provisioned Linux machine] ************************
TASK [Check SSH Connection] ****************************************************
fatal: [AnsibleTarget]: FAILED! => {"changed": false, "elapsed": 6, "msg": "timed out waiting for ping module test: Invalid/incorrect password: Permission denied, please try again."}
...ignoring
TASK [If SSH Failed, set temporary password] ***********************************
ok: [AnsibleTarget]
TASK [Check SSH Connection with temp password] *********************************
ok: [AnsibleTarget]
TASK [Create user accounts and add to groups] **********************************
failed: [AnsibleTarget] (item=login_user) => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "ansible_loop_var": "item", "changed": false, "item": {"groups": "sudo", "password": "passwordHere", "salt": "andTheSalt", "username": "login_user"}, "msg": "useradd: Permission denied.\nuseradd: cannot lock /etc/passwd; try again later.\n", "name": "login_user", "rc": 1}
failed: [AnsibleTarget] (item=ansible_user) => {"ansible_loop_var": "item", "changed": false, "item": {"groups": "sudo", "password": "differentPass", "salt": "otherSalt", "username": "ansible_user"}, "msg": "usermod: Permission denied.\nusermod: cannot lock /etc/passwd; try again later.\n", "name": "ansible_user", "rc": 1}
PLAY RECAP *********************************************************************
AnsibleTarget              : ok=3    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=1

Answer 1

It might because the user you are logging in does not have enough privileges.

Try adding become_user: root in the Create user accounts and add to groups task. Reference to become_user is here .

Also, use verbose mode to have more insights into your errors.