Ansible + AWX – How to update a linux user password with encryption and password hash
Today we began working on that age old task of resetting our linux local accounts password and how to convert this task using ansible via AWX. It seemed very straightforward using the “User” module in Ansible to do this.
For our setup we use AWX which is an awesome platform to run and track ansible playbooks. AWX does have an input to create an encrypted text field to pass through AWX to the playbook; however when it actually executes on the target machine it then becomes an unencrypted string when setting this password. This is a problem for the obvious reason that the password is shown in plain text in the shadow file of the target server.
The approaches that the ansible docs mention in the user module just seemed a little tedious so we did some googling. There was a great blog post by Jian Jye we found in our search for encrypting this password input. This post points out a clever function right inside of the ansible modules called password_hash.
Essentially the playbook would look something like the below code with a simple pipe. Where “newpassword” serves as the input password variable from AWX.
---
- hosts: all
become: yes
tasks:
- name: Change user password
user:
name: admin
update_password: always
password: "{{ newpassword|password_hash('sha512') }}"
Big Kudos to this Jian Jye in this post for making this such easy work. https://jianjye.medium.com/how-to-update-user-password-with-ansible-f971f41a3b3e
Ben Tuma
Over 20 years of experience in the Information Technology field. I love technology and seeing how it changes and impacts peoples lives for the better. I have healthy appetite for innovation and problem solving.
I am sharing my knowledge and challenges in hopes to help others as we constantly face ever changes problems in IT and technology.