HOWTO
Learn how to secure SSH with Ansible and protect your Linux systems from unauthorized access with this step-by-step guide. Table of Contents Introduction Ansible is
In this article, we will review step-by-step, how to change the root password using Ansible. As part of this process, we will examine a sample playbook to gain a better understanding.
In the ever-evolving landscape of IT infrastructure management, automation has become an indispensable tool. Among the myriad of automation tools available, Ansible stands out for its simplicity, scalability, and agentless architecture. Originally developed by Michael DeHaan in 2012, Ansible has quickly gained popularity in the DevOps community as a powerful and easy-to-use configuration management and automation tool.
Photo by unlisted from hub.tie.org
To change the root password using Ansible, you’ll need to create a playbook that leverages Ansible’s rich set of modules. Here’s a sample playbook to guide you through the process:
---
- name: Cycle root password and store it using ansible-vault
hosts: all
become: false
# Generate and store root password in password file (secret.yaml)
vars:
rootPass: "{{ lookup('password', '{{ passwdDir }}/secret.yaml chars=ascii_letters,digits,punctuation') }}"
newPass: "{{ lookup('password', '{{ passwdDir }}/secret1.yaml chars=ascii_letters,digits,punctuation') }}"
passwdDir: ~/.secret-yaml-files
vaultPass: ~/.vault_key
runningfromHost: localhost
tasks:
# Check if password file exists
- name: Check if secret.yaml file exists
stat:
path: "{{ passwdDir }}/secret.yaml"
register: stat_secrets
# Encrypt password file
- name: Encrypt password file using ansible-vault on {{ runningfromHost }}
shell: ansible-vault encrypt {{ passwdDir }}/secret.yaml --vault-password-file {{ vaultPass }}
when:
- stat_secrets.stat.exists|bool == true
run_once: true
delegate_to: "{{ runningfromHost }}"
# View decrypted password file
- name: Allow temporary password file decryption for password hashing on {{ runningfromHost }}
shell: ansible-vault view {{ passwdDir }}/secret.yaml --vault-password-file {{ vaultPass }} > {{ passwdDir }}/secret1.yaml
when:
- stat_secrets.stat.exists|bool == true
run_once: true
delegate_to: "{{ runningfromHost }}"
# Update root password hash
- name: Update root password hash
user:
name: root
#update_password: always
password: "{{ newPass | password_hash('sha512') }}"
become: yes
- debug:
msg: "{{ newPass }}"
# Get Timestamp from the OS
- name: Get timestamp from the system
shell: "date +%Y-%m-%d-%H.%M.%S"
register: tstamp
run_once: true
delegate_to: "{{ runningfromHost }}"
# Backup the password file
- name: Save password file to backup using timestamp
command: mv {{ passwdDir }}/secret.yaml {{ passwdDir }}/secret.yaml-{{ tstamp.stdout }}
when:
- stat_secrets.stat.exists|bool == true
run_once: true
delegate_to: "{{ runningfromHost }}"
# Clean up the password dir contents
- name: Clean up the contents of the password file directory
file:
state: absent
path: "{{ passwdDir }}/secret1.yaml"
run_once: true
Now, let’s break down each line of the Ansible playbook (above):
---: YAML document start indicator.- name: Cycle root password and store it using ansible-vault: A named section describing the purpose of the playbook.hosts: all: The playbook applies to all hosts.become: false: Disables privilege escalation.vars: Defines variables used in the playbook.rootPass: Generates a random root password using the lookup function.newPass: Generates a new random password for root.passwdDir: Specifies the directory for password files.vaultPass: Specifies the path to the Ansible Vault key file.runningfromHost: Defines the localhost as the host running the playbook.tasks: The list of tasks to be executed.name: Check if secret.yaml file exists: Uses the stat module to check if the password file exists.name: Encrypt password file using ansible-vault on {{ runningfromHost }}: Encrypts the password file using Ansible Vault.name: Allow temporary password file decryption for password hashing on {{ runningfromHost }}: Temporarily decrypts the password file to update the root password hash.name: Update root password hash: Uses the user module to update the root password hash.name: Get timestamp from the system: Retrieves the current timestamp.name: Save password file to backup using timestamp: Creates a backup of the password file with a timestamp.name: Clean up the contents of the password file directory: Removes the temporary decrypted password file.Encrypt Sensitive Data: Avoid hardcoding sensitive information like passwords directly into playbooks. Use Ansible Vault to encrypt sensitive data securely.
Limit Privilege Escalation: Only use become where necessary. Limit privilege escalation to specific tasks rather than the entire playbook.
Version Control: Store your playbooks in a version control system like Git to track changes and collaborate effectively.
Documentation: Include comments and documentation within your playbooks to make them more understandable and maintainable.
Testing: Before deploying playbooks in a production environment, thoroughly test them in a controlled environment to avoid unintended consequences.
Ansible provides a powerful and efficient solution for automating various IT tasks, including the management of root passwords. By following best practices and utilizing Ansible’s capabilities, you can enhance security, streamline processes, and ensure consistent configuration across your infrastructure. Happy automating!
Related Posts
Learn how to secure SSH with Ansible and protect your Linux systems from unauthorized access with this step-by-step guide. Table of Contents Introduction Ansible is
Are you looking to enhance the security of your server? Learn how to enable tls1.2 on your cockpit server using Ansible and keep your data
Discover how the DevOps revolution is transforming software development and deployment, streamlining processes, and enabling organizations to achieve faster time-to-market and improved product quality. Table