Creating users with strong, random passwords is essential for system security. Manual password generation can be time-consuming and error-prone. Using Ansible, you can automate this process quickly and efficiently.
You can use the user module combined with the lookup function to generate secure passwords. This method ensures that each user gets a unique and strong password without manual intervention.
In this guide, we will show you how to create a new user and set a random password using Ansible.
Table of Contents
Why Use Random Passwords?
Using random passwords ensures that each user account is protected with a strong, unique password, reducing the risk of unauthorized access. Automated random password generation is particularly useful when:
- Provisioning multiple servers.
- Creating temporary or service accounts.
- Avoiding weak or easily guessable passwords.
Method 1: Using the Ansible shell Module with OpenSSL
In this method, we’ll use the shell module to generate a random password and create a user with it.
Here is an example playbook.
---
- name: Create a user with random password using openssl
hosts: all
become: true
tasks:
- name: Generate random password
ansible.builtin.shell: "openssl rand -base64 12"
register: random_password
- name: Create user with random password
ansible.builtin.user:
name: devuser
password: "{{ random_password.stdout | password_hash('sha512') }}"
- name: Display generated password
debug:
msg: "Generated password for devuser: {{ random_password.stdout }}"Now, run the above playbook.
# ansible-playbook create_random_user_openssl.ymlOutput:
PLAY [Create a user with random password using openssl] ***********************
TASK [Generate random password] ***********************************************
changed: [localhost]
TASK [Create user with random password] ***************************************
changed: [localhost]
TASK [Display generated password] *********************************************
ok: [localhost] => {
"msg": "Generated password for devuser: XyZ123$abc!"
}
PLAY RECAP ********************************************************************
localhost : ok=3 changed=2 unreachable=0 failed=0In the above playbook:
- We use openssl rand -base64 12 to generate a 12-character random password.
- The password is hashed using password_hash(‘sha512’) before creating the user.
- The generated password is displayed using the debug module.
Method 2: Using the community.general.pwgen Plugin
The community.general.pwgen plugin provides an easy way to generate random passwords. This method is recommended if you prefer using Ansible’s built-in capabilities.
Example Playbook
---
- name: Create a user with random password using pwgen
hosts: all
become: true
tasks:
- name: Install pwgen (if not already installed)
ansible.builtin.package:
name: pwgen
state: present
- name: Generate random password using pwgen
ansible.builtin.shell: "pwgen -s 12 1"
register: random_password
- name: Create user with generated password
ansible.builtin.user:
name: devuser
password: "{{ random_password.stdout | password_hash('sha512') }}"
- name: Save password to a secure file
ansible.builtin.copy:
content: "{{ random_password.stdout }}"
dest: /root/devuser_password.txt
mode: '0600'In this playbook:
- We use the pwgen command to generate a secure 12-character password.
- The password is hashed and used to create the user.
- The password is saved to a file with restricted permissions using the copy module.
Method 3: Generating and Storing Random Passwords Using the lookup Plugin
The lookup plugin in Ansible can generate random passwords using the password generator.
Here is a playbook to generate a random password:
---
- name: Create a user with random password using lookup plugin
hosts: all
become: true
tasks:
- name: Generate random password using lookup plugin
set_fact:
random_password: "{{ lookup('password', '/dev/null length=12 chars=ascii_letters,digits') }}"
- name: Create user with random password
ansible.builtin.user:
name: devuser
password: "{{ random_password | password_hash('sha512') }}"
- name: Save password to a file
ansible.builtin.copy:
content: "devuser password: {{ random_password }}"
dest: /root/devuser_password.txt
mode: '0600'Explanation:
- The lookup plugin generates a random password using the password generator.
- The password is hashed and used to create the user.
- The password is securely stored in a file with restricted access.
Conclusion
In this article, we explored three different methods for creating a user with a random password in Ansible. We used OpenSSL, the community.general.pwgen plugin, and the lookup plugin to generate secure passwords. By automating user creation with strong, random passwords, you can enhance the security of your systems and streamline your DevOps workflows.
FAQs
1. How do I securely store the generated password in Ansible?
Save the password to a file with restricted permissions or use Ansible Vault for encryption.
2. Why should I use random passwords for new users in Ansible?
Random passwords are strong and unique, reducing the risk of unauthorized access and improving security.
3. How do I handle existing users when running the playbook?
Use the state: present option in the user module to ensure the user exists without making changes if the user is already present.
