In this article, I will show you how to run Ansible playbooks using an SSH password-based login with sshpass.
Prerequisites
If you would like to try out the examples discussed in this article,
1) You must have Ansible installed on your computer.
2) You must have at least an Ubuntu/Debian host to which you can connect from Ansible.
There are many articles on LinuxHint dedicated to Installing Ansible. You may check these out if needed to install the necessary programs on your system.
You will also need to have sshpass installed on your computer, where you should have Ansible installed. I will show you how to install sshpass on Ubuntu/Debian and CentOS/RHEL in this article. Do not worry if you do not have these programs already installed on your system.
Installing sshpass on Ubuntu/Debian
The program sshpass is available in the official package repository of Ubuntu/Debian. You can easily install this program on your computer.
First, update the APT package repository cache via the following command:
Now, install sshpass via the following command:
$ sudo apt install sshpass -y
sshpass should now be installed.
Installing sshpass on CentOS 8/RHEL 8
sshpass is available in the EPEL repository of CentOS 8/RHEL 8. You must have the EPEL repository enabled to install sshpass.
First, update the DNF package repository cache via the following command:
Next, install the EPEL repository package via the following command:
$ sudo dnf install epel-release -y
The EPEL repository package should now be installed and the EPEL repository should be enabled.
Update the DNF package repository cache again, as follows:
Install sshpass via the following command:
$ sudo dnf install sshpass -y
sshpass should be installed.
Setting Up an Ansible Project Directory
Before we move on any further, it would be a good idea to create a project directory structure, just to keep things a bit organized.
To create a project directory sshpass/ and all the required subdirectories (in your current working directory), run the following command:
$ mkdir -pv sshpass/{files,playbooks}
Navigate to the project directory, as follows:
Create a hosts inventory file, as follows:
Add your host IP or DNS name in the inventory file.
Once you are finished with this step, save the file by pressing X, followed by Y and .
Create an Ansible configuration file in the project directory, as follows:
Now, type in the following lines in the ansible.cfg file.
Once you are finished with this step, save the file by pressing X, followed by Y and .
Testing Password-Based SSH Login in Ansible
Next, try to ping the hosts in the inventory file, as follows:
$ ansible all -u shovon -m ping
NOTE: Here, the -u option is used to tell ansible which user to log in as. In this case, it will be the user shovon. Replace this username with yours from now on, throughout the demo.
As you can see, I am not able to log in to the host and run any commands.
To force Ansible to ask for the user password, run the ansible command with the –ask-pass argument, as follows:
$ ansible all -u shovon –ask-pass -m ping
As you can see, Ansible asks for the SSH password of the user. Now, type in your SSH password (user login password) and press .
The host can be pinged, as follows:
Ansible Password-based SSH Login for Playbooks
You can use a password-based SSH login when you run Ansible playbooks. Let us look at an example.
First, create a new playbook askpass1.yaml in the playbooks/ directory, as follows:
$ nano playbooks/askpass1.yaml
Type the following lines in the askpass1.yaml playbook file:
– hosts: all
user: shovon
tasks:
– name: Ping all hosts
ping:
– name: Print a message
debug:
msg: ‘All set’
Once you are finished with this step, save the file by pressing X, followed by Y and .
Run the askpass1.yaml playbook, as follows:
$ ansible-playbook playbooks/askpass1.yaml
As you can see, I am not able to connect to the host. You can see that this is because I did not run the ansible-playbook command with the –ask-pass option.
Run the askpass1.yaml playbook with the –ask-pass option, as follows:
$ ansible-playbook –ask-pass playbooks/askpass1.yaml
As you can see, Ansible is asking for a SSH password. Type in your SSH password and press .
The playbook askpass1.yaml should now run successfully.
Ansible sudo Password Login for Playbooks
The –ask-pass option will ask for the SSH login password only. What if you also wish to type in the sudo password? You will see how to do this in the next steps.
First, create a new playbook askpass2.yaml in the playbooks/ directory, as follows:
$ nano playbooks/askpass2.yaml
Type the following lines in the askpass2.yaml file.
– hosts: all
user: shovon
become: True
tasks:
– name: Install apache2 Package
apt:
name: apache2
state: latest
– name: Make sure apache2 service is running
service:
name: apache2
state: started
enabled: True
– name: Copy index.html file to server
copy:
src: ../files/index.html
dest: /var/www/html/index.html
mode: 0644
owner: www-data
group: www-data
Here, I have used the command become: True to tell Ansible to run this playbook with sudo privileges. Once you are finished with this step, save the askpass2.yaml file by pressing X, followed by Y and .
Create an index.html file in the files/ directory, as follows:
Type the following HTML codes in the index.html file:
Once you are finished with this step, save the file by pressing X followed by Y and .
You may run the askpass2.yaml playbook with the –ask-pass option, as follows:
$ ansible-playbook –ask-pass playbooks/askpass2.yaml
You will then be asked for the SSH password, as before.
But the playbook still may not run even if you provide the SSH password. The reason for this is because you have to tell Ansible to prompt for the sudo password, as well as the SSH password.
You can tell Ansible to ask for the sudo password using the –ask-become-pass option while running the playbook, as follows:
$ ansible-playbook –ask-pass –ask-become-pass playbooks/askpass2.yaml
Now, Ansible will prompt you for the SSH password.
Next, Ansible will prompt you for the sudo password. If your sudo password is the same as the SSH password (which is most likely), then leave it blank and press .
As you can see, the playbook ran successfully.
Configuring Automatic Password-Based SSH Login and sudo Password Login
You may wish to use password-based SSH and sudo login, but do not want to type in the SSH password and sudo password every time you run a playbook. If that is the case, then this section is for you.
To use password-based SSH login and sudo login without being prompted for the passwords, all you have to do is add the ansible_ssh_pass and ansible_become_pass host variables or group variables in your inventory file.
First, open the hosts inventory file, as follows:
If you have multiple hosts in your inventory file and each of the hosts has different passwords, then add the ansible_ssh_pass and ansible_become_pass variables as host variables (after each host) as follows.
Be sure to replace secret with your SSH and sudo password.
If all or some of the hosts have the same password, then you can add the ansible_ssh_pass and ansible_become_pass variables as group variables, as shown in the example below.
Here, I have only one host, so I have added the ansible_ssh_pass and ansible_become_pass variables for the all group (all hosts in the inventory file). But, you may add these variables for other specific groups as well.
Once you have finished adding the ansible_ssh_pass and ansible_become_pass variables in the hosts inventory file, save the hosts inventory file by pressing X, followed by Y and .
You may now run the askpass2.yaml playbook, as follows:
$ ansible-playbook playbooks/askpass2.yaml
As you can see, the playbook ran successfully, though it did not ask for the SSH password or the sudo password.
So, this is how you use sshpass for password-based SSH and sudo login in Ansible. Thank you for reading this article!
About the author
Shahriar Shovon
Freelancer & Linux System Administrator. Also loves Web API development with Node.js and JavaScript. I was born in Bangladesh. I am currently studying Electronics and Communication Engineering at Khulna University of Engineering & Technology (KUET), one of the demanding public engineering universities of Bangladesh.
