hosts
[centos-root]
192.168.174.129 ansible_ssh_port=22
192.168.174.130 ansible_ssh_port=22
192.168.174.131 ansible_ssh_port=22
Ansible Vault 文件
创建 Ansible Vault 文件
# ansible-vault create passwords.yml
New Vault password: # 12345678
Confirm New Vault password:
编辑 Ansible Vault 文件
# ansible-vault edit passwords.yml
Vault password:
passwords.yml
root_accounts:
192.168.174.129:
old_password: host1
new_password: 12345678
192.168.174.130:
old_password: host2
new_password: 12345678
192.168.174.131:
old_password: host3
new_password: 12345678
yunwei_accounts:
192.168.174.129:
init_password: yunwei_129
192.168.174.130:
init_password: yunwei_130
192.168.174.131:
init_password: yunwei_131
playbook
create_user-playbook.yaml
- hosts: centos
remote_user: root
gather_facts: no # 禁用 Ansible 在执行任务之前从目标主机中收集信息
vars_files:
- passwords.yaml
vars:
ansible_ssh_pass: "{{ root_accounts[inventory_hostname].old_password }}"
new_username: yunwei
tasks:
- name: chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
ansible.builtin.shell:
cmd: |
chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
- name: Create yunwei user
ansible.builtin.user:
name: "{{ new_username }}"
password: "{{ yunwei_accounts[inventory_hostname].init_password | password_hash('sha512')}}"
shell: /bin/bash
groups: wheel
- name: Print temporary password
debug:
msg: "The password for {{ new_username }} is {{ yunwei_accounts[inventory_hostname].init_password }}"
- name: Get list of users with /bin/bash as their shell
ansible.builtin.shell:
cmd: "awk -F: '$7 == \"/bin/bash\" {print $1}' /etc/passwd"
register: bash_users
- name: Set password expiration days for /bin/bash users
ansible.builtin.shell:
cmd: "chage -M 90 {{ item }}"
loop: "{{ bash_users.stdout_lines }}"
when: bash_users.stdout_lines is defined
- name: chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
ansible.builtin.shell:
cmd: |
chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
check_user-playbook.yaml
- hosts: centos
remote_user: yunwei
gather_facts: no # 禁用 Ansible 在执行任务之前从目标主机中收集信息
#ansible_become_method: sudo
#ansible_become_user: root
vars_files:
- passwords.yaml
vars:
ansible_ssh_pass: "{{ yunwei_accounts[inventory_hostname].init_password }}"
ansible_become_pass: "{{ yunwei_accounts[inventory_hostname].init_password }}"
tasks:
- name: check password using yunwei
ansible.builtin.shell:
cmd: id
register: command_result
- name: Print yunwei info
debug:
msg: " user info is {{ command_result.stdout }}"
- name: check password using root
ansible.builtin.shell:
cmd: id
become: yes
register: command_result_1
- name: Print root info
debug:
msg: " user info is {{ command_result_1.stdout }}"
user-playbook.yaml
- import_playbook: create_user-playbook.yaml
- import_playbook: check_user-playbook.yaml
测试 playbook
# ansible-playbook -i hosts user-playbook.yaml --ask-vault-pass
Vault password:
PLAY [centos] *****************************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************
ok: [192.168.174.129]
ok: [192.168.174.130]
ok: [192.168.174.131]
TASK [chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] ****************************************************************************
changed: [192.168.174.129]
changed: [192.168.174.130]
changed: [192.168.174.131]
TASK [Create yunwei user] *****************************************************************************************************************************************************
changed: [192.168.174.131]
changed: [192.168.174.130]
changed: [192.168.174.129]
TASK [Print temporary password] ***********************************************************************************************************************************************
ok: [192.168.174.129] => {
"msg": "The password for yunwei is yunwei_129"
}
ok: [192.168.174.130] => {
"msg": "The password for yunwei is yunwei_130"
}
ok: [192.168.174.131] => {
"msg": "The password for yunwei is yunwei_131"
}
TASK [Get list of users with /bin/bash as their shell] ************************************************************************************************************************
changed: [192.168.174.129]
changed: [192.168.174.130]
changed: [192.168.174.131]
TASK [Set password expiration days for /bin/bash users] ***********************************************************************************************************************
changed: [192.168.174.129] => (item=root)
changed: [192.168.174.130] => (item=root)
changed: [192.168.174.131] => (item=root)
changed: [192.168.174.129] => (item=wgs)
changed: [192.168.174.130] => (item=wgsg)
changed: [192.168.174.131] => (item=yunwei)
changed: [192.168.174.129] => (item=yunwei)
changed: [192.168.174.130] => (item=wgs)
changed: [192.168.174.130] => (item=yunwei)
TASK [chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] ****************************************************************************
changed: [192.168.174.129]
changed: [192.168.174.130]
changed: [192.168.174.131]
PLAY [centos] *****************************************************************************************************************************************************************
TASK [Gathering Facts] ********************************************************************************************************************************************************
ok: [192.168.174.130]
ok: [192.168.174.129]
ok: [192.168.174.131]
TASK [check password using yunwei] ********************************************************************************************************************************************
changed: [192.168.174.129]
changed: [192.168.174.131]
changed: [192.168.174.130]
TASK [Print yunwei info] ******************************************************************************************************************************************************
ok: [192.168.174.129] => {
"msg": " user info is uid=1002(yunwei) gid=1002(yunwei) groups=1002(yunwei),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
}
ok: [192.168.174.130] => {
"msg": " user info is uid=1002(yunwei) gid=1002(yunwei) groups=1002(yunwei),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
}
ok: [192.168.174.131] => {
"msg": " user info is uid=1000(yunwei) gid=1000(yunwei) groups=1000(yunwei),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
}
TASK [check password using root] **********************************************************************************************************************************************
changed: [192.168.174.130]
changed: [192.168.174.131]
changed: [192.168.174.129]
TASK [Print root info] ********************************************************************************************************************************************************
ok: [192.168.174.129] => {
"msg": " user info is uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
}
ok: [192.168.174.130] => {
"msg": " user info is uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
}
ok: [192.168.174.131] => {
"msg": " user info is uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
}
PLAY RECAP ********************************************************************************************************************************************************************
192.168.174.129 : ok=12 changed=7 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.174.130 : ok=12 changed=7 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
192.168.174.131 : ok=12 changed=7 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
