users

Adds local users to a host, from a list of users. This is primarily for interactive (human) users - user accounts created for a specific program or installation should be done within that role.

To use this role, the following information must be collected from the user:

  1. The desired username and full name for the account

  2. Ask the user to generate password hashes, with the make passwd command (runs the goodpassword.py script)

  3. (optional) The user's SSH public key

User records are created from the list userlist, where each list item is a per-user dictionary.

NOTE: When this role is run, the password and all SSH keys for all users specified are replaced with the ones defined in the role.

Each item in the userlist dictionary has the following keys:

  • username: The lowercase Unix username for the user, which should be lowercase and lacking in spaces. There may be other OS-specific requirements.

  • fullname: The full human name, or "comment" for the user.

  • sha512crypt and/or bcrypt: Hashed passwords, using two different algorithms, depending on the OS type. These two password hashes can be generated by running make passwd (requires passlib to be installed)

  • sudoer: If set to true, the user is added to the group able to run commands as root with sudo. The particular group used is dependent on the OS's convention (usually either wheel or sudo).

  • ssh_key: Whether or not to copy the SSH public key from the local files/ search path to the remote account's ~/.ssh/authorized_keys file. The default value is true, and the name of the file expected is <username>.pub.

  • shell: The path to the shell for this user. If not provided, a default will be provided on a per-platform basis.

Each entry in the userlist has a few optional parameters:

  • Users are added to other groups specified in the extra_groups list. These groups must exist before users can be added to them. This option does not change/remove already existing group memberships from the user.

  • Users can be created as system users by setting system: true. This will prevent the skel files from being copied on most systems, and may change some group memberships.

For reference, please see the Ansible user and authorized_key modules.

Additionally, this role can be given a list of lines in the users_sudoers file to add to an /etc/sudoers.d/users_sudoers file. Each line should be formatted per the sudoers file format. The file is verified with the visudo command prior to being written, but no other validation, security, or correctness checks are made.

Related topics:

Passlib has a nice comparison of password hash security.

Requirements

Minimum ansible version: 2.9.5

Example Playbook

- hosts: all
  vars:
    userlist:
       - username: aturing
         fullname: "Alan Turing"
         bcrypt: "$2b$12$kTNFlzaNI76Dcf0yEHg3buprVUz0LQvQ2.F5MWUnDcfFPzqrctLYO"
         sha512crypt: "$6$GJL2gbfQgYPYiTgL$nnysl9a8zSk7tAJqBbZ2GFj5OWfX17QjAwt3KJ/DPnea6pMTYRmthDkxjQYuz1OaiV1vnuK3fZcdcvW8AK1390"
         sudoer: true
         system: false
         extra_groups:
           - docker
         ssh_key: false
  roles:
    - users

License and Author

© 2020 Open Networking Foundation support@opennetworking.org

License: Apache-2.0