ansible 修改密码

hosts

[centos]
192.168.174.129 ansible_ssh_port=2022 ansible_ssh_user=user1
192.168.174.130 ansible_ssh_port=22022 ansible_ssh_user=user2
192.168.174.131 ansible_ssh_port=2029 ansible_ssh_user=user3

Ansible Vault 文件

创建 Ansible Vault 文件

# ansible-vault create passwords.yml
New Vault password:                    # 12345678
Confirm New Vault password:

编辑 Ansible Vault 文件

# ansible-vault edit passwords.yml
Vault password:

passwords.yml

hosts_passwords:
  192.168.174.129:
    root_password: UxMPo<*0J?|P93>n
    user1_old_password: -e{I73zAqp6;R?:a
    user1_password: 0~8Iu3.Zslk?j)Wp
  192.168.174.130:
    root_password: OxMPo<*9J?|P93>n
    user2_old_password: $e{I73zAqp6;R?:a
    user2_password: 7~8Iu9.Zslk?j)Wp
  192.168.174.131:
    root_password: $0%5Br2vH/$iD7q_
    user3_old_password: KH3Ks/Z80.Rw2er;
    user3_password: K35Zs7=L+NSe4j&w

playbook

change_password.yaml

- hosts: centos
  gather_facts: no  # 禁用 Ansible 在执行任务之前从目标主机中收集信息
  become: yes
  become_method: sudo
  become_user: root
  vars_files:
    - passwords.yml
  vars:
    new_root_password: "{{ hosts_passwords[inventory_hostname].root_password }}"
    new_password: "{{ hosts_passwords[inventory_hostname][ansible_ssh_user + '_password'] }}"
    ansible_ssh_pass: "{{ hosts_passwords[inventory_hostname][ansible_ssh_user + '_old_password'] }}"
    ansible_become_pass: "{{ hosts_passwords[inventory_hostname][ansible_ssh_user + '_old_password'] }}"

  tasks:
    - name: chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
      ansible.builtin.shell:
        cmd: |
          chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
 
     - name: Change root user password
      ansible.builtin.user:
        name: root
        password: "{{ new_root_password | password_hash('sha512') }}"
      register: root_password_change_result

    - name: Change user password
      ansible.builtin.user:
        name: "{{ ansible_user }}"
        password: "{{ new_password | password_hash('sha512') }}"
      register: password_change_result

    - name: chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
      vars:
        ansible_ssh_pass: "{{ hosts_passwords[inventory_hostname][ansible_ssh_user + '_password']}}"
        ansible_become_pass: "{{ hosts_passwords[inventory_hostname][ansible_ssh_user + '_password'] }}"    
      ansible.builtin.shell:
        cmd: |
          chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile

测试 playbook

# ansible-playbook -i hosts change_password.yaml --ask-vault-pass
Vault password: 

PLAY [centos] *****************************************************************************************************************************************************************

TASK [Gathering Facts] ********************************************************************************************************************************************************
ok: [192.168.174.130]
ok: [192.168.174.131]
ok: [192.168.174.129]

TASK [chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] ****************************************************************************
changed: [192.168.174.131]
changed: [192.168.174.129]
changed: [192.168.174.130]

TASK [Change user password] ***************************************************************************************************************************************************
changed: [192.168.174.130]
changed: [192.168.174.131]
changed: [192.168.174.129]

TASK [Print password change info] *********************************************************************************************************************************************
ok: [192.168.174.129] => {
    "msg": "Password change info: {u'comment': u'', u'shell': u'/bin/bash', u'group': 1002, u'name': u'yunwei', u'changed': True, 'failed': False, u'state': u'present', u'home': u'/home/yunwei', u'move_home': False, u'password': u'NOT_LOGGING_PASSWORD', u'append': False, u'uid': 1002}"
}
ok: [192.168.174.130] => {
    "msg": "Password change info: {u'comment': u'', u'shell': u'/bin/bash', u'group': 1002, u'name': u'yunwei', u'changed': True, 'failed': False, u'state': u'present', u'home': u'/home/yunwei', u'move_home': False, u'password': u'NOT_LOGGING_PASSWORD', u'append': False, u'uid': 1002}"
}
ok: [192.168.174.131] => {
    "msg": "Password change info: {u'comment': u'', u'shell': u'/bin/bash', u'group': 1000, u'name': u'yunwei', u'changed': True, 'failed': False, u'state': u'present', u'home': u'/home/yunwei', u'move_home': False, u'password': u'NOT_LOGGING_PASSWORD', u'append': False, u'uid': 1000}"
}

TASK [chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] ****************************************************************************
changed: [192.168.174.130]
changed: [192.168.174.129]
changed: [192.168.174.131]

PLAY RECAP ********************************************************************************************************************************************************************
192.168.174.129            : ok=5    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.174.130            : ok=5    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.174.131            : ok=5    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
posted @ 2024-04-14 11:00  小吉猫  阅读(141)  评论(0编辑  收藏  举报