Ansible : what is default password for the new user created using Ansible 'user' module

5
votes

I am running a ansible-playbook template from another user, which has a task to create a new user:-

---

- name: Create the application user
  user: name={{ gunicorn_user }} state=present

- name: Create the application group
  group: name={{ gunicorn_group }} system=yes state=present

- name: Add the application user to the application group
  user: name={{ gunicorn_user }} group={{ gunicorn_group }} state=present

Here there is no password set for this user. The new user is created in system after running the playbook. But when I try to login using the newly created user, it is asking for password?

basically, rather than logging in using the new account, my intention is to understand how/why is it asking for a password? since I did not specify a password while creating user.

I checked in /etc/passwd :-

it shows youtubeadl:x:1003:999::/home/youtubeadl:

youtubeadl is the new user created

2
ansibleansible-playbook
I made a post that may help you. stackoverflow.com/questions/59660540/…Veridian

2 Answers

8
votes

If you leave out the password parameter for the user task, Ansible will create the used in a "locked" state, meaning the user has no password. She will not be able to login with a password, use a password for sudo commands or change her password.

But since you did not provide an alternative method of login authentication (e.g. an SSH key with an additional authorized_key task), you will still be asked for a password.

Background Info:

You can have a look at the password state youself, by looking at /etc/shadow (which stores the password info), not /etc/passwd (which, despite the name, stores only user account info). See https://serverfault.com/a/116511/39608 for a history of those two files.

The entry will probably look like this:

youtubeadl:!:0:0:99999:7:::

The ! in the 2nd field means the password is locked. If you issue the command 

passwd -d youtubeadl

You will set the password to empty and the password state to "expired". The entry will then look like this:

youtubeadl::0:0:99999:7:::
0
votes

Ansible's user module uses useradd under the covers which by default disables the password if a password is not specified. You should be able to confirm that by checking the user's entry in /etc/passwd - if the password is disabled then the password field should show !!.

If you want to login directly as that user using a password then you need to specify the password in the user module.

Alternatively you can add an SSH key using the authorized_keys module.

And of course, as long as the user has a proper shell set, then you should be able to su to that user from root (or with sudo from a non root user).