Via ansible change password of non-root account using passwd command and picking old password from ansible files

ansibleansible-playbook

I have got a lot of systems having a common username to login. The password is also same for most of the systems. I have 1 inventory file with all the systems. For the systems that have a different password, I have saved the password against the hostname, and for the remaining it is in the group_vars file.

In inventory file:

hostname1 ansible_ssh_pass=pass1
hostname2 ansible_ssh_pass=pass2
hostname3
hostname4

group_vars file:

ansible_user: someuser
ansible_ssh_pass: pass3

I do not have higher priviledges. From another thread I was able to figure out how to only use passwd to change the password, and not use other utilities.

shell: 'printf "%s\n" OldPass NewPass NewPass | passwd'

The passwd does not support the "-p" option.

I am trying to figure out a way to get the OldPass value from the same where ansible is picking it for each host so that I do not have to run this playbook n number of times, and manually put the OldPass in the shell command.

Please advice on how to proceed with this.

Thanks.

Best Answer

You can use variables directly:

$ ansible -c local -m shell \
  -a "printf '%s\n' {{ ansible_ssh_pass }} {{ ansible_ssh_newpass }}" \
  --extra-vars="ansible_ssh_pass=oldpass ansible_ssh_newpass=newpass" \
  localhost
127.0.0.1 | SUCCESS | rc=0 >>
oldpass
newpass

In this example, the variables are fed to ansible from the command line, in your example, they would come from group_vars.

You can even define a default value and override it for specific systems:

$ ansible -c local -m shell \
  -a "printf '%s\n' {{ ansible_ssh_pass | default('otherpass') }} {{ ansible_ssh_newpass }}" \
  --extra-vars="ansible_ssh_newpass=newpass" \
  localhost
127.0.0.1 | SUCCESS | rc=0 >>
otherpass
newpass
Related Topic