ansible 修改密碼

小吉猫發表於2024-04-14

hosts

[centos-root]
192.168.174.129 ansible_ssh_port=22 
192.168.174.130 ansible_ssh_port=22  
192.168.174.131 ansible_ssh_port=22 

Ansible Vault 檔案

建立 Ansible Vault 檔案

# ansible-vault create passwords.yml
New Vault password:                    # 12345678
Confirm New Vault password:

編輯 Ansible Vault 檔案

# ansible-vault edit passwords.yml
Vault password:

passwords.yml

192.168.174.129:
  old_yunwei_password: yunwei_129
  new_yunwei_password: yunwei*_129
192.168.174.130:
  old_yunwei_password: yunwei_130
  new_yunwei_password: yunwei*_130
192.168.174.131:
  old_yunwei_password: yunwei_131
  new_yunwei_password: yunwei*_131

playbook

change_password.yaml

- hosts: centos
  remote_user: yunwei
  gather_facts: no  # 禁用 Ansible 在執行任務之前從目標主機中收集資訊
  become: yes
  become_method: sudo
  become_user: root
  vars_files:
    - passwords.yml
  vars:
    new_password: "{{ hosts_passwords[inventory_hostname].new_yunwei_password }}"
    ansible_ssh_pass: "{{ hosts_passwords[inventory_hostname].old_yunwei_password }}"
    ansible_become_pass: "{{ hosts_passwords[inventory_hostname].old_yunwei_password }}" 

  tasks:
    - name: chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
      ansible.builtin.shell:
        cmd: |
          chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
 
    - name: Change user password
      ansible.builtin.user:
        name: "{{ ansible_user }}"
        password: "{{ new_password | password_hash('sha512') }}"
      register: password_change_result

    - name: Print password change info
      debug:
        msg: "Password change info: {{ password_change_result }}"

    - name: chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
      vars:
        ansible_ssh_pass: "{{ hosts_passwords[inventory_hostname].new_yunwei_password }}"
        ansible_become_pass: "{{ hosts_passwords[inventory_hostname].new_yunwei_password }}"    
      ansible.builtin.shell:
        cmd: |
          chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile

測試 playbook

# ansible-playbook -i hosts change_password.yaml --ask-vault-pass
Vault password: 

PLAY [centos] *****************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************
ok: [192.168.174.130]
ok: [192.168.174.131]
ok: [192.168.174.129]

TASK [chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] ****************************************************************************
changed: [192.168.174.131]
changed: [192.168.174.129]
changed: [192.168.174.130]

TASK [Change user password] ***************************************************************************************************************************************************
changed: [192.168.174.130]
changed: [192.168.174.131]
changed: [192.168.174.129]

TASK [Print password change info] *********************************************************************************************************************************************
ok: [192.168.174.129] => {
    "msg": "Password change info: {u'comment': u'', u'shell': u'/bin/bash', u'group': 1002, u'name': u'yunwei', u'changed': True, 'failed': False, u'state': u'present', u'home': u'/home/yunwei', u'move_home': False, u'password': u'NOT_LOGGING_PASSWORD', u'append': False, u'uid': 1002}"
}
ok: [192.168.174.130] => {
    "msg": "Password change info: {u'comment': u'', u'shell': u'/bin/bash', u'group': 1002, u'name': u'yunwei', u'changed': True, 'failed': False, u'state': u'present', u'home': u'/home/yunwei', u'move_home': False, u'password': u'NOT_LOGGING_PASSWORD', u'append': False, u'uid': 1002}"
}
ok: [192.168.174.131] => {
    "msg": "Password change info: {u'comment': u'', u'shell': u'/bin/bash', u'group': 1000, u'name': u'yunwei', u'changed': True, 'failed': False, u'state': u'present', u'home': u'/home/yunwei', u'move_home': False, u'password': u'NOT_LOGGING_PASSWORD', u'append': False, u'uid': 1000}"
}

TASK [chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] ****************************************************************************
changed: [192.168.174.130]
changed: [192.168.174.129]
changed: [192.168.174.131]

PLAY RECAP ********************************************************************************************************************************************************************
192.168.174.129            : ok=5    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.174.130            : ok=5    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.174.131            : ok=5    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0  

相關文章