root user password needs to set for many servers however the password should be different password, not to be same

21 views
Skip to first unread message

Deepan M

unread,
Sep 17, 2019, 12:36:25 PM9/17/19
to Ansible Project
Hi,

manually login to each servers and setting root password,  login to server1,  set password "password123" ;  then login to server2 set password "redhat123" like this i'm looking for ansible playbook, where i can automate for 100+servers.

Idea looking forward:- 
1, Random password needs to be generated.
2, on each server, root user password should be reset by picking up from random password.

Note:- For security reason, we are resetting root password on monthly basis and those password should be generated randomly and reset.

Thanks,
Deepan M

Dan Linder

unread,
Sep 17, 2019, 3:27:48 PM9/17/19
to Ansible Project
If you're ok with Ansible generating the password for you then storing it on the machine you ran the playbook from, then the `password` plugin might help a bit.

Assuming you have an inventory of servers and you're OK with saving the latest password to "/tmp/root.password.hostname.txt", I believe something like this will do what you're looking for:
- name: Force new root password
  user:
    name: root
    password: "{{ lookup('password', '/tmp/root.password.{{ inventory_hostname }}.txt length=60 chars=ascii_letters,digits,punctuation') | password_hash('sha512', 1000000 | random(seed=inventory_hostname) | string ) }}"
    update_password: always

This will generate a random password of ASCII letters, digits and punctuation, the password will be 60 characters long, and the plain-text of it will be stored in /tmp/root.password.{hostname}.txt for each system.

The "password_hash()" modifier on the "password:" line hashes the password so the "user:" module can use it.  It also assumes that the system getting the new password can handle SHA512 passwords.  It also uses the "inventory_hostname" to ensure that the hashed password is idempotent between runs. The "1000000|...|string" uses the name of the system being worked on as a random seed and picks a pseudo-random value to use for the password hash.

NOTE: The first time this is run, the /tmp/root.password.{hostname}.txt file is created and used.  The next time you run it, since that file exists it will re-use that raw password and not change it.  To change the root password of that server, either delete the file and a new random password will be assigned, or create your own password and put it in this file.

Deepan M

unread,
Sep 18, 2019, 12:18:03 PM9/18/19
to Ansible Project
Thank you Dan Linder, playbook is working perfect.

Regards,
Deepan M

Dan Linder

unread,
Sep 18, 2019, 12:41:59 PM9/18/19
to Ansible Project
Great to hear!  Thanks for the feedback.
Reply all
Reply to author
Forward
0 new messages