Adds local users to a host, from a list of users. This is primarily for interactive (human) users - user accounts created for a specific program or installation should be done within that role.
To use this role, the following information must be collected from the user:
The desired username and full name for the account
Ask the user to generate password hashes, with the make passwd
command (runs the goodpassword.py
script)
(optional) The user's SSH public key
User records are created from the list userlist
, where each list item is a per-user dictionary.
NOTE: When this role is run, the password and all SSH keys for all users specified are replaced with the ones defined in the role.
Each item in the userlist
dictionary has the following keys:
username
: The lowercase Unix username for the user, which should be lowercase and lacking in spaces. There may be other OS-specific requirements.
fullname
: The full human name, or "comment" for the user.
sha512crypt
and/or bcrypt
: Hashed passwords, using two different algorithms, depending on the OS type. These two password hashes can be generated by running make passwd
(requires passlib to be installed)
sudoer
: If set to true
, the user is added to the group able to run commands as root with sudo. The particular group used is dependent on the OS's convention (usually either wheel
or sudo
).
ssh_key
: Whether or not to copy the SSH public key from the local files/
search path to the remote account's ~/.ssh/authorized_keys
file. The default value is true
, and the name of the file expected is <username>.pub
.
shell
: The path to the shell for this user. If not provided, a default will be provided on a per-platform basis.
Each entry in the userlist has a few optional parameters:
Users are added to other groups specified in the extra_groups
list. These groups must exist before users can be added to them. This option does not change/remove already existing group memberships from the user.
Users can be created as system
users by setting system: true
. This will prevent the skel
files from being copied on most systems, and may change some group memberships.
For reference, please see the Ansible user and authorized_key modules.
Additionally, this role can be given a list of lines in the users_sudoers
file to add to an /etc/sudoers.d/users_sudoers
file. Each line should be formatted per the sudoers file format. The file is verified with the visudo command prior to being written, but no other validation, security, or correctness checks are made.
Related topics:
Passlib has a nice comparison of password hash security.
Minimum ansible version: 2.9.5
- hosts: all vars: userlist: - username: aturing fullname: "Alan Turing" bcrypt: "$2b$12$kTNFlzaNI76Dcf0yEHg3buprVUz0LQvQ2.F5MWUnDcfFPzqrctLYO" sha512crypt: "$6$GJL2gbfQgYPYiTgL$nnysl9a8zSk7tAJqBbZ2GFj5OWfX17QjAwt3KJ/DPnea6pMTYRmthDkxjQYuz1OaiV1vnuK3fZcdcvW8AK1390" sudoer: true system: false extra_groups: - docker ssh_key: false roles: - users
© 2020 Open Networking Foundation support@opennetworking.org
License: Apache-2.0