Software

Manage User Accounts with Ansible

mark_user

Ansible is a program designed to manage Linux servers. See blog post on setting up Ansible, creating a script, creating an inventory file, and calling a script from the command line. You can call a single server or multiple servers by separating then with a colon on the ‘hosts’ line. If a large number of hosts needs to be called, create a group in the inventory.ini file and call the group on the ‘hosts’ line.

Create a New User’s Account on Multiple Servers

When a new hire comes onboard, rather than log into each server directly and manually create their accounts, run this script and it will create the accounts on all servers simultaneously. 

# Ansible script, newuser.yml
# Create a user, home directory, add user to a group, and set password.
# cmd: ansible-playbook -K -i inventory.ini newuser.yml --extra-vars newpassword=P@$$w0rd
---
- name: Create user 
  hosts: server1.company.com:server2.company.com:server3.company.com
  become: yes

  tasks:
    - name: create user
      ansible.builtin.user:
        name: User1
        password: "{{ newpassword|password_hash('sha512') }}"
        groups: sudo
        state: present
        shell: /bin/bash
        create_home: yes
        system: no
        append: yes

Get a List of Servers that have a Specific User’s Account

If a user leaves the company, you can never be sure what Linux servers they were given access to, so I run this to get a list of what servers they have accounts. It outputs the results to a text file, which the results can be easily be viewed. This script calls a host group called “all_servers” in the inventory.ini file.

# Ansible script, finduser.yml
# Identify the servers that have an account and put results into a txt file.
# cmd: ansible-playbook -K -i inventory.ini finduser.yml 
---
- name: Find user accounts
  hosts: all_servers
  gather_facts: false
  become: True 

  tasks:
    - name: Make a new file
      shell:
         cmd: echo "New file results" > /home/user1/finduser.txt
      delegate_to: localhost
      run_once: True

    - name: Run finduser.sh script
      script: /home/user1/finduser.sh
      ignore_errors: True
      register: results
    
    - name: append results to file
      lineinfile:
        dest: /home/user1/finduser.txt
        line: "{{ results.stdout }}"
        insertafter: EOF
      delegate_to: localhost

Remove A User’s Account

Once you have identified which servers the user has an account on, add the username to the script and specify the target hosts. As before, you can list multiple servers, separated by a colon, or create a group in the *ini file and then add the group name to the ‘hosts’ line. 

# Ansible script, deleteuser.yml
# Remove user account and remove /home folder
# cmd: ansible-playbook -K -i inventory.ini deleteuser.yml
---
- name: Remove user
  hosts: server01.company.com:server02.company.com
  become: true
  gather_facts: false

  tasks:
    - name: remove user
      ansible.builtin.user: 
        name: User1
        state: absent
        remove: yes

Push a Key to Multiple Servers

It is recommended that users login using public and private keys. It is easy to push a users public key to multiple servers at same time. Replace the ‘key’, with the user’s actual public key surrounded by double quotes.

The authorized key command handles creating the directors and setting permissions on all files. 

# Ansible script, pushpublickeys.yml
# Push a users public key to the servers. 
# cmd: ansible-playbook -K -i inventory.ini pushpublickey.yml
---
- name: Push public keys to all servers.
  hosts: all_servers
  become: true
  gather_facts: false

  tasks:
    - name: Push public key. 
      authorized_key:
        user: user1
        state: present
        key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3AZEUvLo5/plnlDsIPRNp0Zx1Is9mZ3NqfmQUj6pDV6wEPtl7jbY12SY243/O7h+rqfkRJEyHgHnmBU9PewsENSXR6asdfgh3cFDJIuZWUMovkS3PehIIvqUFDN9/G5xV1nmz2e41IX/vAqsHw6nP4WvescHIUXPhRmUK4MbLSBvGgLOQa3f+UMAIque3nVfh0ZxWzE1YyMH7lpXMbdTIBcr/LZwdZXmPQpdnaEavAuKKQZiSylcGuThXp1ciPXK7x9RRBje3MN5N5lQRNI6amZz+zPh9CTZShvP6PWNGeNkMysAYPpB90KwGg/JN+GJn6mws/I58I/C22uxFDGRoiZiwJZDZZ3SJyuenEZ6w4oYLN8c8llo5D01ecoUUZjV/3lx6Drm68sVe/rOajFtLbIoHy0lZEp1kM/Hv5nGf9ISDwLyNLD91aG747buPrPIm4yqea2+Pcv1p1VspCc= user123@xxxxxxxx"
        manage_dir: true

Change a User’s Password

Perhaps a user forgot their password, or they have left the company. You may need to change their password. Again, modify the ‘hosts’ line as necessary, with a single, multiple, or a group of servers. 

# Ansible script, chpassword.yml
# Change a user's password.
# cmd: ansible-playbook -K -i inventory.ini chpassword.yml --extra-vars newpassword=P@$$w0rd

---
- hosts: all_servers
  become: yes
  tasks:
    - name: Change users password
      user:
        name: deeznuts
        update_password: always
        password: "{{ newpassword|password_hash('sha512') }}"

Related Posts

Software

Run an Ad-Hoc Command using Ansible

mark_user
Software

Run a Basic NMap Scan

mark_user