Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ansible : what is default password for the new user created using Ansible 'user' module

I am running a ansible-playbook template from another user, which has a task to create a new user:-

---

- name: Create the application user
  user: name={{ gunicorn_user }} state=present

- name: Create the application group
  group: name={{ gunicorn_group }} system=yes state=present

- name: Add the application user to the application group
  user: name={{ gunicorn_user }} group={{ gunicorn_group }} state=present

Here there is no password set for this user. The new user is created in system after running the playbook. But when I try to login using the newly created user, it is asking for password?

basically, rather than logging in using the new account, my intention is to understand how/why is it asking for a password? since I did not specify a password while creating user.

I checked in /etc/passwd :-

it shows youtubeadl:x:1003:999::/home/youtubeadl:

youtubeadl is the new user created

like image 375
Remis Haroon - رامز Avatar asked Jan 30 '16 16:01

Remis Haroon - رامز


1 Answers

If you leave out the password parameter for the user task, Ansible will create the used in a "locked" state, meaning the user has no password. She will not be able to login with a password, use a password for sudo commands or change her password.

But since you did not provide an alternative method of login authentication (e.g. an SSH key with an additional authorized_key task), you will still be asked for a password.

Background Info:

You can have a look at the password state youself, by looking at /etc/shadow (which stores the password info), not /etc/passwd (which, despite the name, stores only user account info). See https://serverfault.com/a/116511/39608 for a history of those two files.

The entry will probably look like this:

youtubeadl:!:0:0:99999:7:::

The ! in the 2nd field means the password is locked. If you issue the command

passwd -d youtubeadl

You will set the password to empty and the password state to "expired". The entry will then look like this:

youtubeadl::0:0:99999:7:::
like image 200
chiborg Avatar answered Oct 04 '22 20:10

chiborg