Difference between revisions of "SdNOG Users creation Ansible code"
Jump to navigation
Jump to search
| (6 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | [[Category:sdnog]] | |
| + | [[Category:SdNOG_KnowBase]] | ||
| + | = Ansible Playbook: Sudo Users creation with SSH Keys = | ||
This Ansible playbook configures users with sudo privileges, sets up SSH keys, and requires users to change their password upon first login. | This Ansible playbook configures users with sudo privileges, sets up SSH keys, and requires users to change their password upon first login. | ||
| Line 115: | Line 117: | ||
Please change your password upon first login. | Please change your password upon first login. | ||
| + | **Note:** This is an automated message generated by Ansible. Please do not reply to this email. | ||
| + | |||
Best regards, | Best regards, | ||
| Line 200: | Line 204: | ||
Your new account has been created on the following host: {{ ansible_host }}. | Your new account has been created on the following host: {{ ansible_host }}. | ||
| − | |||
Username: {{ item.username }} | Username: {{ item.username }} | ||
Password: {{ user_passwords[item.username] }} | Password: {{ user_passwords[item.username] }} | ||
Please change your password upon first login. | Please change your password upon first login. | ||
| + | |||
| + | **Note:** This is an automated message generated by Ansible. Please do not reply to this email. | ||
Best regards, | Best regards, | ||
| Line 213: | Line 218: | ||
when: item.username in user_passwords | when: item.username in user_passwords | ||
</pre> | </pre> | ||
| + | |||
| + | == Author == | ||
| + | * '''Author''': [[User:Manhal.Mohamed|Manhal Mohamed]]'' , SdNOG Team | ||
Latest revision as of 11:58, 11 August 2024
Contents
- 1 Ansible Playbook: Sudo Users creation with SSH Keys
- 1.1 Overview
- 1.2 Variables
- 1.3 Tasks
- 1.3.1 1. Install Required Packages
- 1.3.2 2. Check if Users Exist and Set Facts for New Users
- 1.3.3 3. Generate Passwords for New Users
- 1.3.4 4. Create New Users with Plain-Text Passwords
- 1.3.5 5. Set Password to Expire Upon First Login
- 1.3.6 6. Deploy SSH Public Keys for the Users
- 1.3.7 7. Send Password to Users via Email
- 1.4 Appendix
- 1.5 Author
Ansible Playbook: Sudo Users creation with SSH Keys
This Ansible playbook configures users with sudo privileges, sets up SSH keys, and requires users to change their password upon first login.
Overview
The playbook performs the following tasks:
- Installs necessary packages based on the operating system (Debian/Ubuntu or RedHat/CentOS).
- Checks if users already exist.
- Generates passwords for new users.
- Creates new users with these passwords and assigns them to the sudo group.
- Sets passwords to expire upon the user's first login.
- Deploys SSH public keys for users.
- Sends the password to users via email.
Variables
- users: A list of users to be created, each with the following attributes:
- username: The username for the new account.
- ssh_key: The SSH public key to be deployed for the user.
- email: The email address where the password will be sent.
Tasks
1. Install Required Packages
For Debian/Ubuntu
- name: needed packages are installed (Debian/Ubuntu)
apt:
name: "{{ item }}"
state: latest
loop: ["sudo", "openssh-server", "mailutils"]
when: ansible_facts['os_family'] == "Debian"
For RedHat/CentOS
- name: needed packages are installed (RedHat/CentOS)
yum:
name: "{{ item }}"
state: latest
loop: ["sudo", "openssh-server", "mailx"]
when: ansible_facts['os_family'] == "RedHat"
2. Check if Users Exist and Set Facts for New Users
- name: Check if users exist and set fact for new users
command: "getent passwd {{ item.username }}"
register: user_check
loop: "{{ users }}"
changed_when: false
failed_when: false
3. Generate Passwords for New Users
- name: Generate passwords for new users
set_fact:
user_passwords: "{{ user_passwords | default({}) | combine({item.item.username: lookup('password', '/dev/null length=15 chars=ascii_letters+digits')}) }}"
loop: "{{ user_check.results }}"
when: item.stdout == ""
4. Create New Users with Plain-Text Passwords
- name: Create new users with plain-text passwords if they do not exist
user:
name: "{{ item.username }}"
password: "{{ user_passwords[item.username] | default('') | password_hash('sha512') }}"
groups: sudo
append: yes
create_home: yes
shell: /bin/bash
update_password: on_create
expires: -1
loop: "{{ users }}"
when: item.username in user_passwords
5. Set Password to Expire Upon First Login
- name: Set password to expire upon first login for newly created users
command: chage -d 0 "{{ item.username }}"
loop: "{{ users }}"
when: item.username in user_passwords
6. Deploy SSH Public Keys for the Users
- name: Deploy SSH public keys for the users
authorized_key:
user: "{{ item.username }}"
state: present
key: "{{ item.ssh_key }}"
loop: "{{ users }}"
7. Send Password to Users via Email
- name: Send password to users via email
mail:
host: relay.example.com
port: 25
to: "{{ item.email }}"
subject: "Your new account password"
body: |
Dear {{ item.username }},
Your new account has been created on the following host: {{ ansible_host }}.
Username: {{ item.username }}
Password: {{ user_passwords[item.username] }}
Please change your password upon first login.
**Note:** This is an automated message generated by Ansible. Please do not reply to this email.
Best regards,
Sdnog Team
from: sdnog-ansible-at-email.com
loop: "{{ users }}"
when: item.username in user_passwords
Appendix
Full Code
- name: Configure sudo users with SSH keys and require password change on first login
hosts: host-ip-address
become: true
vars:
users:
- username: sdnog-user
ssh_key: "ssh-ed25519 some SSH KEY here eddsa-key-20240807"
email: "email-at-example.com"
tasks:
- name: needed packages are installed (Debian/Ubuntu)
apt:
name: "{{ item }}"
state: latest
loop: ["sudo", "openssh-server", "mailutils"]
when: ansible_facts['os_family'] == "Debian"
- name: needed packages are installed (RedHat/CentOS)
yum:
name: "{{ item }}"
state: latest
loop: ["sudo", "openssh-server", "mailx"]
when: ansible_facts['os_family'] == "RedHat"
- name: Check if users exist and set fact for new users
command: "getent passwd {{ item.username }}"
register: user_check
loop: "{{ users }}"
changed_when: false
failed_when: false
- name: Generate passwords for new users
set_fact:
user_passwords: "{{ user_passwords | default({}) | combine({item.item.username: lookup('password', '/dev/null length=15 chars=ascii_letters+digits')}) }}"
loop: "{{ user_check.results }}"
when: item.stdout == ""
- name: Create new users with plain-text passwords if they do not exist
user:
name: "{{ item.username }}"
password: "{{ user_passwords[item.username] | default('') | password_hash('sha512') }}"
groups: sudo
append: yes
create_home: yes
shell: /bin/bash
update_password: on_create
expires: -1
loop: "{{ users }}"
when: item.username in user_passwords
- name: Set password to expire upon first login for newly created users
command: chage -d 0 "{{ item.username }}"
loop: "{{ users }}"
when: item.username in user_passwords
- name: Deploy SSH public keys for the users
authorized_key:
user: "{{ item.username }}"
state: present
key: "{{ item.ssh_key }}"
loop: "{{ users }}"
- name: Send password to users via email
mail:
host: relay.example.com
port: 25
to: "{{ item.email }}"
subject: "Your new account password"
body: |
Dear {{ item.username }},
Your new account has been created on the following host: {{ ansible_host }}.
Username: {{ item.username }}
Password: {{ user_passwords[item.username] }}
Please change your password upon first login.
**Note:** This is an automated message generated by Ansible. Please do not reply to this email.
Best regards,
Sdnog Team
from: sdnog-ansible-at-example.com
loop: "{{ users }}"
when: item.username in user_passwords
Author
- Author: Manhal Mohamed , SdNOG Team