Automation

Expand all | Collapse all

Ansible and Changing Passwords

Jump to Best Answer
  • 1.  Ansible and Changing Passwords

    Posted 12-14-2020 15:46
    I am trying to setup an Ansible playbook to change user passwords in Juniper switches.  I am using juniper_junos_config with a configuration file that includes the "plain-text-password" parameter, but it appears that it is not valid.  Is there anyway to use the "plain-text-password" parameter without forcing an interactive prompt?

    What other methods can be used to change a user password via Ansible?


  • 2.  RE: Ansible and Changing Passwords
    Best Answer

     
    Posted 12-15-2020 05:21
    Hi cdjny,

    You can consider using Ansible vault to store passwords or variables and call them in your playbook: Encrypting content with Ansible Vault - Ansible Documentation


    Here is an example of Ansible playbook, courtesy @asharp.

    $ cat test.yaml
     
    - name: Junos Set Password
      hosts: all
      roles:
        - Juniper.junos
      connection: local
      gather_facts: no
      tasks:
        - name: Build configuration
          template: src=jprpass.conf.j2 dest=/tmp/{{ inventory_hostname }}.conf
        - name: Set Password
          juniper_junos_config:
            host: "{{ ansible_ssh_host }}"
            port: "{{ ansible_ssh_port }}"
            user: netadmin
            passwd: Juniper
            file: "/tmp/{{ inventory_hostname }}.conf"
            load: merge
      vars_files:
      - vault-variables.yaml
     
     
    To execute the playbook:
     
    $ ansible-playbook -i hosts site.yaml --ask-vault-pass
    For the above plyboo, the following Jinja2 template could be used for example, which creates the root password using a clear text password value (can also be done using encrypted-password if that's desired).  As usual, the password with a plain-text-password-value willl still show up as a hash by Junos.  However, it's recommended to use encrypted-password over clear-text password for better security. 
     
    $ cat jnprpass.conf.j2
     
    system {
      root-authentication {
        plain-text-password-value "{{ clear_text_password }}";
      }
    }
    system {
      root-authentication {
        encrypted-password "{{ admin_password_hashed }}";
      }
    }

    The YAML data used for the vars file could be used simply as follows.  Or even store passwords in a vault protected file.
     
    $ ansible-vault create vault-variables.yaml
    New Vault password:
    Confirm New Vault password:
    $ ansible-vault edit vault-variables.yaml
    clear_text_password: Juniper
    admin_password_hashed: "$1$fv3Ke4LT$10nlsy3SEJy5ainm.kPTd."
    $ cat vault-variables.yaml
    $ANSIBLE_VAULT;1.1;AES256
    31643065623237653038393365656434353432303535363035323635633866653563396637313533
    3635623033323935383865616361663632666435313466630a643563653263316162623737616533
    37643533646264333364313630306237366635626161353030616332646264376332636239343830
    6630663761393637650a323461663035666262353762613035386562353964303731343533656266
    65643766303832613537386433313661396635373732396462336537333861653038633963613031
    39643638636433653435386330313131613937363364306263316263666533373464316663656665
    35333037326465643162393965376530393837633334613565306466663630323861366538366235
    61613039353131383736333665663134643731343433333062366335613035663165313430356232
    6632






    ------------------------------
    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).
    ------------------------------



  • 3.  RE: Ansible and Changing Passwords

    Posted 12-15-2020 16:26
    Thank you so much!  I was missing the "value" at the end of "plain-text-password".  Is "plain-text-password-value" documented anywhere?