If you’re using the Ansible user module for user management on a Linux or Unix system, an encrypted password is required for setting password for a user without using prompt. On macOS systems, the value of password parameter value has to be cleartext. This guide will demonstrate how to generate a Linux user encrypted password for use with Ansible user module.
There are various ways of generating a hashed user password on a Linux system. One of the methods is using python, and the other involves use of mkpasswd command line utility, and many others.
Generate encrypted password with Python3
To generate the hash, you must have the python3 package on your system. The following commands can be used to install the package depending on your operating system.
--- CentOS ---
$ sudo yum -y install epel-release
$ sudo yum install python3
--- Ubuntu / Debian ---
sudo apt update
sudo apt install python3To generate the hash, use a command such as this:
python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'It will ask you to enter and confirm password:
Password:
Confirm:
$6$/1OFlW9yH1KHHiOm$pn2SfNgbF/rbblahjseab/p1Xb6Z29UZik.BUilZ.TLnp9yvl2HViB3fs8XdVteboeioss7o2A4g1IYxw.TFJ/You will then use encrypted password printed as value to password parameter when using the user python module.
Generate encrypted password with Python2
If using Python2, e.g CentOS 7 server, first install pip.
sudo yum -y install python-pipThen ensure that the Passlib password hashing library is installed:
sudo pip install passlibGenerate encrypted password with the command:
python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'Same output as before:
Password:
Confirm:
$6$4QSwvTfs5ijeRo6V$qAgug/HU1WUe7e/s5c6H0HQDCb4QnOumJ6bgxyykiKgewNTr/ifF5yUBq7taNZ0eJAqrXXXwzvxd9ewgq9XHI0Generate encrypted password using mkpasswd
You can also use the mkpasswd utility that is available on most Linux systems to generate a hashed password.
Install mkpasswd:
--- Ubuntu / Debian ---
$ sudo apt updatee
$ sudo apt install mkpasswd
--- CentOS / Fedora ---
sudo yum install expectGenerate password:
$ mkpasswd --method=sha-512
Password:
$6$ieMLxPFShvi6rao9$XEAU9ZDvnPtL.sDuSdRi6M79sgD9254b/0wZvftBNvMOjj3pHJBCIe04x2M.JA7gZ7MwpBWat1t4WQDFziZPw1Testing Encrypted password generated
We can create a user with the encrypted password and confirm we can login with the password generated.
$ python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'
Password:
Confirm:
$6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.Create user creation playbook.
$ vim user_create.ymlAdd:
---
- name: Create demo user
hosts: localhost
become: yes
become_method: sudo
vars:
users:
- username: demo
password: $6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.
tasks:
- name: Create user demo
user:
name: "{{ item.username }}"
shell: /bin/bash
createhome: yes
group: wheel
generate_ssh_key: yes
ssh_key_bits: 2048
password: "{{ item.password }}"
update_password: always
with_items: "{{ users }}"
Execute playbook to create the user.
$ ansible-playbook user_create.yml --user=jkmutai --ask-pass --ask-become-pass
SSH password:
BECOME password[defaults to SSH password]:
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [Create demo user] ********************************************************************************************************************************
TASK [Gathering Facts] *********************************************************************************************************************************
ok: [localhost]
TASK [Create user demo] ********************************************************************************************************************************
changed: [localhost] => (item={'username': 'demo', 'password': '$6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.'})
PLAY RECAP *********************************************************************************************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Confirm user has been created.
$ getent passwd demo
demo:x:1002:10::/var/home/demo:/bin/bashSwitch to user to confirm encrypted password is working.
$ su - demo
Password:
Welcome to Fedora Silverblue. This terminal is running on the
host system. You may want to try out the Toolbox for a directly
mutable environment that allows package installation with DNF.
For more information, see the documentation.
[[email protected] ~]$ Delete user:
$ sudo userdel -r demo
$ id demo
id: ‘demo’: no such userThat’s all on how to generate an encrypted Linux user’s password for Ansible.
More on Ansible:
Best Books To learn Docker and Ansible Automation
Run Ansible Playbook with Vagrant up
Deploy Kubernetes Cluster on CentOS 7 / CentOS 8 With Ansible and Calico CNI
Ansible Vault Cheat Sheet / Reference guide
How to automate simple repetitive tasks using Ansible
Deploy Production Ready Kubernetes Cluster with Ansible & Kubespray
