Adding User and Password Using Ansible
Users are offered lots of tools and features for automation purposes and that greatly simplifies all the challenges that can be connected with management. Here, we will introduce you to a great tool that is called Ansible. This is a fantastic option for adding new users and passwords. If you have a couple of servers, then the manual process of adding new users can be really time-consuming. Now, you don’t need to waste time and enter all the users, you can automate this process.
- ​Environment Preparation
- The user Module
- User Creation Process
- User Insertion via Ad-Hoc Commands
- User Insertion via Playbooks
- Group Membership Establishment
- Password Integration
- Password Generation with mkpasswd
- Password Insertion via Ad-Hoc Commands
- Password Insertion via Playbooks
- Remote Access Configuration
- To Sum Up
Based on our practical experience with tool exploitation, we will share a couple of insights about Ansible.
​Environment Preparation
Environment preparation is a crucial step in any process, that is why try to check that everything you need is there:
- Inventory file with hosts
- Ansible is installed on the controller node
- SSH connection between client and control nodes is available
- Client node as remote one
The user Module
This type of module in Ansible is essential for the user management processes on the hosts. Here are a couple of options that are provided by a user mode:
- State – determines the necessary state of the account
- Home – this specifies the home directory
- Shell – login shell
- Password – the user’s password
- Groups – supplementary groups
- Ssh_key_file – a place where the SSH key is stored
- Ssh_key_bits – specification of bits’ number in the key
- Name – and let’s not forget about a required user’s name
Of course, these are only the basic options, but the variety is huge and several additional ones for this module are:
- Profile – specification of the profile
- Seuser – this option adds the security context
- Update_password – this criterion is needed for the update purpose
User Creation Process
If speaking specifically about the process of user creation, there are technically 2 options. So, let’s discuss each variant in detail.
User Insertion via Ad-Hoc Commands
The first option for the user creation relates to the Ad-Hoc commands. Let’s dive into a real sample of the user creation process:
​$ ansible -i project_inventory.ini client1 -m user -a "name=Action state=present createhome=yes" -b
192.168.221.171 | CHANGED => {
​"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
​},
​"changed": true,
​"comment": "",
​"create_home": true,
​"group": 1006,
​"home": "/home/action",
​"name": "Action",
​"shell": "/bin/sh",
​"state": "present",
​"system": false,
​"uid": 1005
}
To check whether the user was created with all the mentioned details, use the following command:
$ ls /homeUser Insertion via Playbooks
The user creation process via playbooks starts with:
$ cat add_user.yml
---
- name: Create a user
hosts: client1
become: yes
tasks:
- name: Add user Action
​user:
​name: Action
​shell: /bin/bash
​home: /home/action
After that run this playbook. To check whether the process was successful, as in the previous example switch to the client node and use the same command:
$ ls /home/Group Membership Establishment
Now we will proceed to the establishment of the group membership for already created user, the process is the following:
$ cat add_grp.yml
---
- name: Create a group and add a user
hosts: client1
become: yes
tasks:
​- name: Ensure the group exists
​group:
​name: group1
​state: present
​- name: Add user to the group
​user:
​name: action
​groups: group1
​append: yes
After that run this playbook. To check whether the process has completed successfully use the following command:
$ groups group1 Password Integration
Here we will share a couple of methods to integrate a password in a proper way.
Password Generation with mkpasswd
Encrypted passwords can be created with various methods, but mkpasswd is considered to be the most frequent one. This utility is in the whois pack, so let’s start with an installation:
$ sudo apt install whoisPassword Insertion via Ad-Hoc Commands
Mkpasswd can be used together with Ad-Hoc in such a way:
$ ansible -i project_inventory.ini client1 -m user -a "name=Action password=$(mkpasswd --method=sha-512 '123')" --become
192.168.221.171 | CHANGED => {
​"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
​},
​"append": false,
​"changed": true,
​"comment": "",
​"group": 1006,
​"home": "/home/action",
​"move_home": false,
​"name": "Action",
​"password": "NOT_LOGGING_PASSWORD",
​"shell": "/bin/sh",
​"state": "present",
​"uid": 1005
}
For the verification of the password, try to log in with the new one to the user.
Password Insertion via Playbooks
For the insertion via playbook, use the next line:
mkpasswd --method=sha-512
Password:
$6$r6pnvoHc$gpG9kpqIbQfGL2o/NsTD/uN04OsZ15zAydVFPYkflnbSWCTTUBn9yC6IJb7MoRvzQqmadKuf.GEYv8ldQrlZO1
After that, you can insert the password in the playbook and run it. Then you can try to enter with the created password.
Remote Access Configuration
With the help of Ansible, we can also use passwordless access. For this remote access start with the creation of the playbook:
$ cat user_ssh.yml
---
- name: Create user, SSH directory, and transfer SSH keys
hosts: client1
become: yes # Use become to run tasks as a privileged user
tasks:
​- name: Create SSH directory for action
​file:
​path: /home/action/.ssh
​state: directory
​owner: action
​group: action
​mode: 0700
​- name: Generate SSH key for action
​user:
​name: action
​generate_ssh_key: yes
​ssh_key_type: rsa
​ssh_key_bits: 4096
​ssh_key_file: /home/action/.ssh/id_rsa # Full path is needed here
​- name: Transfer public key to the target host
​authorized_key:
​user: action
​key: "lookup('file', '/home/vagrant/.ssh/id_rsa.pub')"
To Sum Up
In this article, we shared the common samples of Ansible usage starting from creating a user and ending with passwordless usage. Hope this information was helpful for you!