3

我正在尝试从 Ansible playbook更改非 root Linux 用户的密码。为此,我尝试关注此链接

按照说明,我可以通过在终端中键入以下代码来成功更改非 root 用户的密码。

$ echo -e "your_current_pass\nlinuxpassword\nlinuxpassword" | passwd
Changing password for testuser.
(current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully

之后,我尝试使用下面的 Ansible 剧本自动化代码,

---
- hosts: all
  gather_facts: no

  tasks:
    - name: "Check if user exists"
      register: user1_exists
      raw: getent passwd {{ ansible_user }}
      ignore_errors: true

    - name: "Change {{ ansible_user }} password"
      raw: echo -e "my_current_pass\nmy_new_pass\nmy_new_pass" | passwd
      when: user1_exists|success

我在这里使用 Ansible 的原始模块,因为我的大多数机器都没有安装 Python。我也无权在剧本superuser (sudo)中使用。become: True

还在这里使用基于密码的身份验证在目标机器上运行 Ansible playbook。不是基于 ssh 的身份验证。

但是,当我执行剧本时,我收到了这个错误,

TASK [change user1 password] ***************************************************
fatal: [192.168.0.57]: FAILED! => {"changed": true, "failed": true, "rc": 10, 
"stderr": "Shared connection to 192.168.0.57 closed.\r\n", "stdout": "Changing 
password for testuser.\r\n(current) UNIX password: passwd: Authentication 
token manipulation error\r\npasswd: password unchanged\r\n", "stdout_lines": 
["Changing password for testuser.", "(current) UNIX password: passwd: 
Authentication token manipulation error", "passwd: password unchanged"]}

谁能告诉我我在这里犯的错误?

4

3 回答 3

6

使用内置的用户模块而不是 shell 命令。这需要become: True在您的剧本中。请注意,password用户模块的参数需要一个加密值。password_hashjinja 过滤器将帮助您。

  - name: change user's password
    user:
      name: foo
      password: "{{ 'passwordsaresecret' | password_hash('sha512') }}"
于 2017-08-31T20:06:36.770 回答
1

你的剧本几乎是正确的。我有同样的要求,我使用了你的剧本。您的剧本中只有一个错误,您忘记将密码变量括在“{{}}”大括号中。所以我改变了你的剧本,如下所示,它对我有用。

  hosts: all
  gather_facts: no

  tasks:
    - name: "Check if user exists"
      register: user1_exists
      raw: getent passwd {{ ansible_user }}
      ignore_errors: true

    - name: "Change {{ ansible_user }} password"
      raw: echo -e "{{ ansible_password }}\n{{newpwd}}\n{{newpwd}}" | passwd
      when: user1_exists|success
于 2020-10-22T22:15:36.100 回答
0

我已经破解了以下内容来解决这个问题。密码不显示在日志甚至详细日志“-vvvvv”中,并且在远程系统的历史记录中不可见:

---
- name: Change password when connecting as a non-root/non-sudoer user.
#
# Ansible's 'user' module can only change a password if it is ran as a root user or 'become' is used.
# For a non-root user, when you run 'passwd', it asks for current password before you can enter a new one.
# Workaround: Create a a temporary script that updates the password and run that script remoteley 
#             and use 'no_log' directive to prevent passwords being visible in any log.
#             Tested that passwords not visible in verbose output '-vvvvv' and not in 'history' of remote computers.
#             The temporary script is deleted remotley automatically by 'script' module.
# Note:
# New password must comply with your passwd security policy.

  hosts: all
  gather_facts: no

  vars_prompt:
  - name: "curr_pass"
    prompt: Type in current password
    private: yes

  - name: "new_pass"
    prompt: Type in new password
    private: yes
    confirm: yes

  ## If you need to *temporary* hard-code credentials, use below.
  ## Delete after use or use vault if you want long-term storage.
  #vars:
  #- curr_pass: MyOldPass
  #- new_pass: MyNewPass123!!

  tasks:
  - name: Create a temporary local script which will change the users password
    copy:
      dest: updatePassNonRootDynamic.sh
      content: echo -e '{{curr_pass}}\n{{new_pass}}\n{{new_pass}}' | passwd
    delegate_to: localhost
    no_log: True
    run_once: true

  - name: Change password via temporary script on all hosts
    script: updatePassNonRootDynamic.sh

  - name: Remove the temporary local script
    file:
      path: updatePassNonRootDynamic.sh
      state: absent
    delegate_to: localhost
    run_once: true
于 2018-11-23T16:03:01.897 回答