We have Ansible, the role of common_users, which creates users on the hosts with a preset password. User password is the same on all hosts.

Next scenario: the user changes his password on one of the hosts.

The problem is as follows:

How to change the password in the configs of the Ansible role, so that the next time Ansible passes, the user's password is changed on the other hosts.

  • The short answer is: "no way" and "no need to allow such scenarios." Painted in detail with the answer, the comment field does not fit. - AK
  • If you are given an exhaustive answer, mark it as correct (a daw opposite the selected answer). - Nicolas Chabanovsky

1 answer 1

Suppose there is a server_admin role in which you create a special. user admin.

The roles/server_admin/tasks/main.yml :

 - name: add special user user: name={{ server_admin.login }} password={{ server_admin.password }}

In reality, of course, you need to immediately provide a list of specials. users (well, what if you need more than one?), something like:

 - name: add special users user: name={{ item.username}} password={{ item.password }} groups=wheel with_items: - "{{ server_admins.special_userss }}"

but we will assume that you need to create one.

At the same time, we have settings in the role where the user’s login and password, the roles/server_admin/defaults/main.yml :

 server_admin: login: "admin" password: "$6$rounds=40000$vx8fkGJ1A5ucZQuasdfasdfasdfa58TuC38M3yrkCYL6l/" ssh_key_file: "files/ssh_keys/admin.pub"

Thus, user settings are made.

If you run the password update script every day at midnight, then on those servers where the user has changed the password, it will be restored.

All this of course is true, if the password for the account ansible from under which it works is not changed (someone leaves root, I create and keep a special account for this)

But in the opposite direction there are quirks.

There is no way for such a scenario: as soon as the user on one of the servers changes the password, he will immediately be transferred to the central ansible server in a special script that changes the configs.

Ansible is more focused on the push model, not pull: changes go from the central (command server) to the clients, and not the clients periodically poll the central server for changes.

But even so, I don’t know how to get the password out of the system utility for changing the password: I suspect that there is no such hole in the system.

And without knowing the password, there is no point in building a reverse chain of throwing the password back. (Such a chain is possible in principle, but it’s too painful - and it’s not really necessary)

Purely speculative, if you have the opportunity to track the password change event on the client machines and run a script for this event in which to transfer the password, then you can put an answerable script on every client server where the password change procedure is possible. connect to the server and modify the config file, but it is cumbersome, crutchy and terribly insecure.

I propose to abandon this scenario altogether. No need to change the password on client machines at all - from the word altogether. Change it on the server ansibl in the config - and send to other machines.

This model is very simple: the central server is considered the keeper of the reference configuration, and all deviations from it on the clients are abnormal situations that need to be corrected.

It concerns not only passwords, but also any other things. Let's say you want to change the line in the nginx config to increase the limit on the size of the downloaded files - if you please, do it on the ansibl server, and don’t pick the local config, hoping that it will then load itself onto the central server and be saved as a reference sample for all servers .

In addition, nothing prohibits having a default password (we set it at the role level) for most servers and some one for a non-standard server (just redefine the password for the required servers in host_vars).

Update By the way, when you said that you could catch any file, I thought about this. What about additional installations ansible: they really are not needed. You can run an ansibl script on the management server with a crown, which will check for deleted files and, as a matter of file existence, launch a handler with a change of passwords.

The quotation is still in the fact that you cannot make it so that when the user changes the password, the password would be written to the file. This makes the circuit inoperable.

Also I will transfer from the comment the thought that I was considering yesterday. You need to look in the direction of LDAP - this is exactly the directory that, when the user changes the password, changes it in the centralized repository.

Update 2. About /etc/shadow (a quick google prompts that md5 is stored there from the password): if ansible could substitute the md5 password (now either the password itself or sha_512 can be used - to clarify whether it is possible to slip md5 somehow ) then writing such a script that you want in principle would be quite a difficult, but quite realistic task.

With the restriction that if the password changes on two or more hosts at once, the result is unpredictable - some host will be processed earlier and this password will be rubbed with information from another host.

  • Thank you >> Ansible ... changes come from prices .. But after all, when Push Ansible sees changes in configs on a remote host, in the same shadow, and instead of rewriting it, it would change the string "password:" $ 6 $ rounds = 40000 $ vx8fkGJ1A5ucZQuasdfasdfasdfa58TuC38M3yrkCYL6l / "" in their configs. I thought that you could somehow get some kind of variable, based on the value of which you could run the local handler to overwrite the local config >> Change it on the ansibl server To do this, you need to know the user's password, and it is also remote and cannot fit to change your password - user2144190
  • @ user2144190 Active Directory, LDAP or other things are suitable for a single password database. And the changes in the files are caught easily, this is not a password that is not saved anywhere and does not appear on the screen, alas, is different. - AK
  • @ user2144190 Added a little more to the answer. - AK
  • @ user2144190 By the way. If in / etc / shadow the password hash is suitable for feeding ansible, then writing such a script becomes quite real. - AK
  • >> If in / etc / shadow the password hash is suitable for feeding ansible ... suitable, I create users by pointing to the password is the hash. Regarding the script for catching the moment of changing the password, I see only the substitution / bin / passwd for my script. Just thought that Ansible has internal capabilities - user2144190