How To Generate Linux User Encrypted Password for Ansible

If you’re using the Ansible user module for user management on a Linux or Unix system, an encrypted password is required for setting password for a user without using prompt. On macOS systems, the value of password parameter value has to be cleartext. This guide will demonstrate how to generate a Linux user encrypted password for use with Ansible user module.

There are various ways of generating a hashed user password on a Linux system. One of the methods is using python, and the other involves use of mkpasswd command line utility, and many others.

Generate encrypted password with Python3

To generate the hash, you must have the python3 package on your system. The following commands can be used to install the package depending on your operating system.

### CentOS ###
sudo yum -y install epel-release
sudo yum -y install python3 python3-bcrypt

### Ubuntu / Debian ###
sudo apt update
sudo apt install python3 python3-bcrypt

To generate the hash, use a command such as this:

python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

It will ask you to enter and confirm password:

Password: 
Confirm: 
$6$/1OFlW9yH1KHHiOm$pn2SfNgbF/rbblahjseab/p1Xb6Z29UZik.BUilZ.TLnp9yvl2HViB3fs8XdVteboeioss7o2A4g1IYxw.TFJ/

You will then use encrypted password printed as value to password parameter when using the user python module.

Generate encrypted password with Python2

If using Python2, e.g CentOS 7 server, first install pip.

sudo yum -y install python-pip

Then ensure that the Passlib password hashing library is installed:

sudo pip install passlib

Generate encrypted password with the command:

python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

Same output as before:

Password: 
Confirm: 
$6$4QSwvTfs5ijeRo6V$qAgug/HU1WUe7e/s5c6H0HQDCb4QnOumJ6bgxyykiKgewNTr/ifF5yUBq7taNZ0eJAqrXXXwzvxd9ewgq9XHI0

Generate encrypted password using mkpasswd

You can also use the mkpasswd utility that is available on most Linux systems to generate a hashed password.

Install mkpasswd:

### Ubuntu / Debian ###
sudo apt update
sudo apt install mkpasswd

### CentOS / Fedora ###
sudo yum install expect

Generate password:

$ mkpasswd --method=sha-512
Password: 
$6$ieMLxPFShvi6rao9$XEAU9ZDvnPtL.sDuSdRi6M79sgD9254b/0wZvftBNvMOjj3pHJBCIe04x2M.JA7gZ7MwpBWat1t4WQDFziZPw1

Testing Encrypted password generated

We can create a user with the encrypted password and confirm we can login with the password generated.

$ python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'
Password: 
Confirm: 
$6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.

Create user creation playbook.

vim user_create.yml

Add:

---
- name: Create demo user
  hosts: localhost
  become: yes
  become_method: sudo
  vars:
    users:
    - username: demo
      password: $6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.
  tasks:
    - name: Create user demo
      user:
          name: "{{ item.username }}"
          shell: /bin/bash
          createhome: yes
          group: wheel
          generate_ssh_key: yes
          ssh_key_bits: 2048
          password: "{{ item.password }}"
          update_password: always
      with_items: "{{ users }}"

Execute playbook to create the user.

$ ansible-playbook user_create.yml --user=jkmutai --ask-pass --ask-become-pass 
SSH password: 
BECOME password[defaults to SSH password]: 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Create demo user] ********************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************
ok: [localhost]

TASK [Create user demo] ********************************************************************************************************************************
changed: [localhost] => (item={'username': 'demo', 'password': '$6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.'})

PLAY RECAP *********************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Confirm user has been created.

$ getent passwd demo 
demo:x:1002:10::/var/home/demo:/bin/bash

Switch to user to confirm encrypted password is working.

$ su - demo
Password: 

Welcome to Fedora Silverblue. This terminal is running on the
host system. You may want to try out the Toolbox for a directly
mutable environment that allows package installation with DNF.

For more information, see the documentation.

[demo@fed ~]$ 

Delete user:

$ sudo userdel -r demo
$ id demo           
id: ‘demo’: no such user

That’s all on how to generate an encrypted Linux user’s password for Ansible.

More on Ansible:

• Best Books To learn Docker and Ansible Automation
• Run Ansible Playbook with Vagrant up
• Deploy Kubernetes Cluster on CentOS 7 / CentOS 8 With Ansible and Calico CNI
• Ansible Vault Cheat Sheet / Reference guide
• How to automate simple repetitive tasks using Ansible
• Deploy Production Ready Kubernetes Cluster with Ansible & Kubespray