Adding User and Password Using Ansible

Users are offered lots of tools and features for automation purposes and that greatly simplifies all the challenges that can be connected with management. Here, we will introduce you to a great tool that is called Ansible. This is a fantastic option for adding new users and passwords. If you have a couple of servers, then the manual process of adding new users can be really time-consuming. Now, you don’t need to waste time and enter all the users, you can automate this process.

Based on our practical experience with tool exploitation, we will share a couple of insights about Ansible.   

​Environment Preparation

Environment preparation is a crucial step in any process, that is why try to check that everything you need is there:

• Inventory file with hosts
• Ansible is installed on the controller node
• SSH connection between client and control nodes is available
• Client node as remote one

The user Module

This type of module in Ansible is essential for the user management processes on the hosts. Here are a couple of options that are provided by a user mode:

• State – determines the necessary state of the account
• Home – this specifies the home directory
• Shell – login shell
• Password – the user’s password
• Groups – supplementary groups
• Ssh_key_file – a place where the SSH key is stored
• Ssh_key_bits – specification of bits’ number in the key
• Name – and let’s not forget about a required user’s name

Of course, these are only the basic options, but the variety is huge and several additional ones for this module are:

• Profile – specification of the profile
• Seuser – this option adds the security context
• Update_password – this criterion is needed for the update purpose

User Creation Process

If speaking specifically about the process of user creation, there are technically 2 options. So, let’s discuss each variant in detail.  

User Insertion via Ad-Hoc Commands

The first option for the user creation relates to the Ad-Hoc commands. Let’s dive into a real sample of the user creation process:

​$ ansible -i project_inventory.ini client1 -m user -a "name=Action state=present createhome=yes" -b
192.168.221.171 | CHANGED => {
​"ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
​},
​"changed": true,
​"comment": "",
​"create_home": true,
​"group": 1006,
​"home": "/home/action",
​"name": "Action",
​"shell": "/bin/sh",
​"state": "present",
​"system": false,
​"uid": 1005
}

To check whether the user was created with all the mentioned details, use the following command:

$ ls /home

User Insertion via Playbooks

The user creation process via playbooks starts with:

$ cat add_user.yml
---
- name: Create a user
  hosts: client1
  become: yes
  tasks:
  - name: Add user Action
​user:
  ​name: Action
  ​shell: /bin/bash
  ​home: /home/action

After that run this playbook. To check whether the process was successful, as in the previous example switch to the client node and use the same command:

$ ls /home/

Group Membership Establishment

Now we will proceed to the establishment of the group membership for already created user, the process is the following:

$ cat add_grp.yml
---
- name: Create a group and add a user
  hosts: client1
  become: yes
  tasks:
​- name: Ensure the group exists
  ​group:
    ​name: group1
    ​state: present
​- name: Add user to the group
  ​user:
    ​name: action
    ​groups: group1
    ​append: yes

After that run this playbook. To check whether the process has completed successfully use the following command:

$ groups group1 

Password Integration

Here we will share a couple of methods to integrate a password in a proper way.

Password Generation with mkpasswd

Encrypted passwords can be created with various methods, but mkpasswd is considered to be the most frequent one. This utility is in the whois pack, so let’s start with an installation:

$ sudo apt install whois

Password Insertion via Ad-Hoc Commands

Mkpasswd can be used together with Ad-Hoc in such a way:

$ ansible -i project_inventory.ini client1 -m user -a "name=Action password=$(mkpasswd --method=sha-512 '123')" --become
192.168.221.171 | CHANGED => {
​"ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
​},
​"append": false,
​"changed": true,
​"comment": "",
​"group": 1006,
​"home": "/home/action",
​"move_home": false,
​"name": "Action",
​"password": "NOT_LOGGING_PASSWORD",
​"shell": "/bin/sh",
​"state": "present",
​"uid": 1005
}

For the verification of the password, try to log in with the new one to the user.

Password Insertion via Playbooks

For the insertion via playbook, use the next line:

mkpasswd --method=sha-512
Password:
$6$r6pnvoHc$gpG9kpqIbQfGL2o/NsTD/uN04OsZ15zAydVFPYkflnbSWCTTUBn9yC6IJb7MoRvzQqmadKuf.GEYv8ldQrlZO1

After that, you can insert the password in the playbook and run it. Then you can try to enter with the created password.

Remote Access Configuration

With the help of Ansible, we can also use passwordless access. For this remote access start with the creation of the playbook:

$ cat user_ssh.yml
---
- name: Create user, SSH directory, and transfer SSH keys
  hosts: client1
  become: yes  # Use become to run tasks as a privileged user
  tasks:
​- name: Create SSH directory for action
  ​file:
    ​path: /home/action/.ssh
    ​state: directory
    ​owner: action
    ​group: action
    ​mode: 0700
​- name: Generate SSH key for action
  ​user:
    ​name: action
    ​generate_ssh_key: yes
    ​ssh_key_type: rsa
    ​ssh_key_bits: 4096
    ​ssh_key_file: /home/action/.ssh/id_rsa  # Full path is needed here
​- name: Transfer public key to the target host
  ​authorized_key:
    ​user: action
    ​key: "lookup('file', '/home/vagrant/.ssh/id_rsa.pub')"

To Sum Up

In this article, we shared the common samples of Ansible usage starting from creating a user and ending with passwordless usage. Hope this information was helpful for you!