Using Ansible to Align Passwords on Servers

The Problem:

A group of servers get their passwords updated every 3 months with a new shared password. The servers passwords are then inconsistently updated leaving a group of servers with one of several possible user passwords.

The Goal:

Use Ansible to attempt to login to each server using each of the possible passwords to find the correct one and log it. The final step of the playbook will have Ansible logging into each server using the found to be correct password and updating each server to a new shared password.

note - using the same root password on all your servers is a terrible idea and completely against the SysAdmin Bible. Use random passwords and keys!

HowTo:

  • Download the playbook from
  • Create a branch to edit the variables for your environment
  sandor@theargo cd ~/Codestuff/ansibles/Ansible-AlignPassword
  sandor@theargo git checkout -b qatenv    
  • ansible-vault the file that will contain the passwords.
  sandor@theargo ansible-vault encrypt group_vars/all
  • Edit the vars for the environment
  sandor@theargo ansible-vault edit group_vars/all
  • Add the inventory to hosts
  • Verify Ansible connect with ping pong
  sandor@theargo ansible -i hosts all -m ping
  • Run the playbook
  sandor@theargo ansible-playbook -i hosts site.yml -vv

Common Task Actions

  • Attempt to login to each server using all possible passwords
  • Register which passwords work on each server
  • Set a new shared password for every server

Variables

Go here:

group_vars/al

With this format:

variable: value