Ansible equivalent of "passwd -l" - linux

I'm trying to lock a user account that I just created with Ansible (it should not be possible to log into this account). I know you can do this using the shell module by running "passwd -l".
Is there a way to do this via the user module, or something similar?

I think that's not possible.
Maybe the following is an option?
- user:
name: someone
shell: /sbin/nologin
I think this is even more secure than using passwd -l as the latter would only disable the password. The user would still be able to login by ssh key authentication.

You can use attribute 'password_lock'
password_lock: yes
^^ This is the equivalent of 'usermod -L'

Related

SSH and sudo over a pseudo-tty terminal

I am trying to overcome some limitations in our environment to write up an authorized SSH file for passwordless ssh keys.
I am requiring to perform an ssh as a to a target system, and then run a "sudo su - , and then update the service account authorized_keys with a key"
This eventually has to go onto my ansible scripts.
I am using "ssh -t user#target "sudo su - service-user" - which actually successfully gets me into a shell for service-user. But I am not able to figure out a way to pass along the file modify commands with the above.
Any tips or alternative options?
Note: I need to use "ssh -t" option as the requiretty is not set on target systems.
Cheers!
Depending on what transport you're using you can use ssh_args.
OpenSSH is the default connection type for Ansible on OSes that are new enough to support ControlPersist. (This means basically all operating systems except Enterprise Linux 6 or earlier).
Then you can do something like this in your ansible.cfg:
ssh_args = -t -t
Which will force ansible to connect the same way you do manually.
Then in your playbook or together with the task where you need it specify become and become_user
- name: Some task
debug: msg="this is a test"
become: true
become_user: someuser
su has an option, -c, that allows you to pass along a command to execute instead of launching a new shell.
-c, --command=COMMAND
pass a single COMMAND to the shell with -c
However, you're authenticating with sudo, which already does this by default; you can just cut su out of the command entirely:
ssh -t user#target "sudo -u service-user <your-command>"
To go one step further, you note that you're planning on putting this into an Ansible playbook. If so, you probably shouldn't be spending too much time trying to do this manually - Ansible will handle running commands remotely (that's one of its primary features, after all), and has a module for modifying the authorized_keys file.

Modifying Cpanel account over SSH

My Cpanel licence has expired and I need to enable shell access for account X , Can I do it over ssh as root? I'm able to create account , however I don't know hot to modify it. I was not able to find answer for this question.
Thank You.
You can change user shell through command line using " usermod " command
usermod -s /bin/bash USERNAME
You can check /etc/passwd file to verify user shell.

shell script to shutdown/restart Linux system

Is there any suitable shell script for shutting down or restarting a Linux machine? I have tried a shell script for shutdown, but when I enter sudo shutdown it will ask for the password. How we can enter the password using the script?
Another, in my opinion cleaner approach:
Create a new file in /etc/sudoers.d/ with content:
%users ALL=NOPASSWD: /sbin/shutdown
%users ALL=NOPASSWD: /sbin/reboot
This causes sudo to not ask for the password, if any user of group "users" tries to execute a shutdown or reboot. Of course you can also specify another group, maybe a newly created group for finer control of reboot permissions.
More information about the other possible settings for sudo can be found in the Manpage.
Yes, use the -S switch which reads the password from STDIN:
$echo <password> | sudo -S <command>
So to shut down the machine, your command would be like this (just replace <password> with your password):
$echo <password> | sudo -S poweroff
Exposing your password is generally bad idea search for something that can protect / hide it. In the past I've used Jenkins plugins to do this while executing the scripts regularly.
if you really want to achieve it, you should write a script containing the shutdown command; make root be its owner, then set the SUID bit with the chmod command and give to it executable permission for everybody. When executed, the owner of the script would become root and no password should be asked.

rsync: how to authenticate user to the remote side

I was writing a script that uses rsync. The problem that I'm facing is how to authenticate the user to the remote side. It seems that the only approaches to provide the password is to use the RSYNC_PASSWORD env var, or to use the --password-file option. What I'm think is that use something like "--password=
You need to user sshpass try following command
sshpass -p password rsync "your remaining command"
if sshpass is not installed then install it.

Creating users and assigning passwords on linux

I am creating multiple users (this case 3 users) on a linux bash script using the line
sudo adduser --force-badname CPE_User"$count"
and I am trying to give those users a password that I assign in the script using:
echo "CPE_User"$count":1234" | chpasswd
but the terminal gives me this message :
Allowing use of questionable username.
adduser: The user `CPE_User1' already exists.
Changing password for CPE_User1.
chpasswd: (user CPE_User1) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user CPE_User1) password not changed
What is the problem?
It says it quite clearly: a user with that name already exists. Linux doesn't allow to have more than one user with the same name...
Not sure what the chpasswd problem might be (you are running it as root, right?) If you can't get chpasswd to work, consider using passwd (potentially via an expect script) - that will work for sure.

Resources