how do you use ansible to change a host password

Daniel Parker

2 min read

·

19-01-2025

1

0

Share

Changing passwords on multiple remote servers can be a tedious and error-prone task. Ansible, a powerful automation tool, provides an efficient and secure way to manage this process. This article will guide you through changing host passwords using Ansible, highlighting best practices and security considerations. We'll focus on securely updating passwords, avoiding storing them directly in your Ansible playbooks.

Prerequisites

Before we begin, ensure you have the following:

• Ansible installed and configured: Follow the Ansible installation instructions for your operating system.
• SSH access to your target hosts: Ansible uses SSH to connect to and manage remote servers. Ensure SSH is enabled and you have the appropriate SSH keys set up for passwordless authentication. We will not use password-based authentication in this example to maintain security.
• Ansible inventory file: This file lists the servers you want to manage. A simple inventory file might look like this:

[servers]
server1
server2
server3

• Understanding of Ansible concepts: Familiarity with playbooks, tasks, and modules is beneficial.

The Secure Method: Using the authorized_keys File

The most secure way to handle password changes with Ansible is to manage SSH keys. This eliminates the need to transmit passwords over the network.

1. Generate a new SSH key pair on your Ansible control machine:

ssh-keygen

2. Copy the public key (~/.ssh/id_rsa.pub) to your target hosts. We'll do this with Ansible:

---
- hosts: servers
  become: true
  tasks:
    - name: Copy authorized keys
      copy:
        src: ~/.ssh/id_rsa.pub
        dest: /home/{{ansible_user}}/.ssh/authorized_keys
        mode: '0600'
      delegate_to: localhost

This task copies your public key to the /home/{{ansible_user}}/.ssh/authorized_keys file on each server. {{ansible_user}} dynamically uses the user Ansible is connecting as. become: true allows Ansible to run the copy command with elevated privileges (typically sudo). mode: '0600' sets the appropriate permissions for the file to enhance security.

3. Test your connection: After running this playbook, try connecting to your servers using ssh. If successful, you can now proceed to manage your servers securely without ever explicitly changing passwords within Ansible.

4. Password changes on the target hosts: Instead of changing the password directly with Ansible, change passwords on the target machines via the command line or using the server's built in tools. Only you, using SSH access, will be able to make those changes. Never hard code passwords in Ansible playbooks.

Important Security Considerations:

• Never hardcode passwords in Ansible playbooks. This is a massive security risk. Your playbooks should be stored in a secure location and version controlled.
• Use SSH keys for authentication. This is far more secure than password-based authentication.
• Restrict access to your Ansible control machine. Ensure it's properly secured and only authorized personnel have access.
• Regularly rotate SSH keys. This minimizes the impact of a compromised key.
• Use Ansible's vault functionality for storing sensitive data if absolutely necessary, though key-based authentication remains the best practice.

Conclusion

Ansible provides a robust and efficient way to manage your server infrastructure. By employing SSH keys and avoiding direct password management within Ansible playbooks, you can significantly enhance the security of your automation processes. Remember to prioritize security best practices to protect your systems. This method focuses on the safer alternative and avoids directly managing passwords using Ansible. Using Ansible to change passwords directly is highly discouraged.