Automate password changes with Ansible

Everyone should be changing root passwords from time to time on their infrastructure. It’s something we all put off as long as possible for various reasons whether they be the hatred of learning a new password or just sheer laziness. Needless to say, it is a necessity of being an admin of ANY system, hope or otherwise.

One way to get more people on the bandwagon of security and password changes is to make them as seamless as possible. Once again, I turn to Ansible to touch all my boxes for me so I can continue listening to my hero Henry Rollins wax poetic with Pete Holmes on his podcast.

It is worth noting that I do all my admin work via Ansible on my Macbook Pro. As such, I will assume you already have Ansible running on Mac OS X as well as Python.

Within Ansible, we will leverage the ‘user’ module to quickly change the password for the account root on all our servers. Ansible doesn’t allow you to pass a cleartext password through its playbooks so you have to install a password hashing library to be leveraged by Python.

To install the library:

Generate a hash for the new root password you want:

Simple Ansible playbook:

And that’s all there is to it. Execute this playbook against whatever servers you wish and you’re done. This is also a useful addition to your bootstrap playbooks for new provisioning!

Leave a Reply

Your email address will not be published. Required fields are marked *