hosts
[centos-root]
192.168.174.129 ansible_ssh_port=22
192.168.174.130 ansible_ssh_port=22
192.168.174.131 ansible_ssh_port=22
Ansible Vault 檔案
建立 Ansible Vault 檔案
# ansible-vault create passwords.yml
New Vault password: # 12345678
Confirm New Vault password:
編輯 Ansible Vault 檔案
# ansible-vault edit passwords.yml
Vault password:
passwords.yml
192.168.174.129:
old_yunwei_password: yunwei_129
new_yunwei_password: yunwei*_129
192.168.174.130:
old_yunwei_password: yunwei_130
new_yunwei_password: yunwei*_130
192.168.174.131:
old_yunwei_password: yunwei_131
new_yunwei_password: yunwei*_131
playbook
change_password.yaml
- hosts: centos
remote_user: yunwei
gather_facts: no # 禁用 Ansible 在執行任務之前從目標主機中收集資訊
become: yes
become_method: sudo
become_user: root
vars_files:
- passwords.yml
vars:
new_password: "{{ hosts_passwords[inventory_hostname].new_yunwei_password }}"
ansible_ssh_pass: "{{ hosts_passwords[inventory_hostname].old_yunwei_password }}"
ansible_become_pass: "{{ hosts_passwords[inventory_hostname].old_yunwei_password }}"
tasks:
- name: chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
ansible.builtin.shell:
cmd: |
chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
- name: Change user password
ansible.builtin.user:
name: "{{ ansible_user }}"
password: "{{ new_password | password_hash('sha512') }}"
register: password_change_result
- name: Print password change info
debug:
msg: "Password change info: {{ password_change_result }}"
- name: chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
vars:
ansible_ssh_pass: "{{ hosts_passwords[inventory_hostname].new_yunwei_password }}"
ansible_become_pass: "{{ hosts_passwords[inventory_hostname].new_yunwei_password }}"
ansible.builtin.shell:
cmd: |
chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
測試 playbook
# ansible-playbook -i hosts change_password.yaml --ask-vault-pass
Vault password:
PLAY [centos] *****************************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************
ok: [192.168.174.130]
ok: [192.168.174.131]
ok: [192.168.174.129]
TASK [chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] ****************************************************************************
changed: [192.168.174.131]
changed: [192.168.174.129]
changed: [192.168.174.130]
TASK [Change user password] ***************************************************************************************************************************************************
changed: [192.168.174.130]
changed: [192.168.174.131]
changed: [192.168.174.129]
TASK [Print password change info] *********************************************************************************************************************************************
ok: [192.168.174.129] => {
"msg": "Password change info: {u'comment': u'', u'shell': u'/bin/bash', u'group': 1002, u'name': u'yunwei', u'changed': True, 'failed': False, u'state': u'present', u'home': u'/home/yunwei', u'move_home': False, u'password': u'NOT_LOGGING_PASSWORD', u'append': False, u'uid': 1002}"
}
ok: [192.168.174.130] => {
"msg": "Password change info: {u'comment': u'', u'shell': u'/bin/bash', u'group': 1002, u'name': u'yunwei', u'changed': True, 'failed': False, u'state': u'present', u'home': u'/home/yunwei', u'move_home': False, u'password': u'NOT_LOGGING_PASSWORD', u'append': False, u'uid': 1002}"
}
ok: [192.168.174.131] => {
"msg": "Password change info: {u'comment': u'', u'shell': u'/bin/bash', u'group': 1000, u'name': u'yunwei', u'changed': True, 'failed': False, u'state': u'present', u'home': u'/home/yunwei', u'move_home': False, u'password': u'NOT_LOGGING_PASSWORD', u'append': False, u'uid': 1000}"
}
TASK [chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] ****************************************************************************
changed: [192.168.174.130]
changed: [192.168.174.129]
changed: [192.168.174.131]
PLAY RECAP ********************************************************************************************************************************************************************
192.168.174.129 : ok=5 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.174.130 : ok=5 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.174.131 : ok=5 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0