Automation

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Ansible and Changing Passwords

    Posted 12-14-2020 15:46
    I am trying to setup an Ansible playbook to change user passwords in Juniper switches.  I am using juniper_junos_config with a configuration file that includes the "plain-text-password" parameter, but it appears that it is not valid.  Is there anyway to use the "plain-text-password" parameter without forcing an interactive prompt?

    What other methods can be used to change a user password via Ansible?


  • 2.  RE: Ansible and Changing Passwords
    Best Answer

     
    Posted 12-15-2020 05:21
    Hi cdjny,

    You can consider using Ansible vault to store passwords or variables and call them in your playbook: Encrypting content with Ansible Vault - Ansible Documentation


    Here is an example of Ansible playbook, courtesy @asharp.

    $ cat test.yaml
     
    - name: Junos Set Password
      hosts: all
      roles:
        - Juniper.junos
      connection: local
      gather_facts: no
      tasks:
        - name: Build configuration
          template: src=jprpass.conf.j2 dest=/tmp/{{ inventory_hostname }}.conf
        - name: Set Password
          juniper_junos_config:
            host: "{{ ansible_ssh_host }}"
            port: "{{ ansible_ssh_port }}"
            user: netadmin
            passwd: Juniper
            file: "/tmp/{{ inventory_hostname }}.conf"
            load: merge
      vars_files:
      - vault-variables.yaml
     
     
    To execute the playbook:
     
    $ ansible-playbook -i hosts site.yaml --ask-vault-pass
    For the above plyboo, the following Jinja2 template could be used for example, which creates the root password using a clear text password value (can also be done using encrypted-password if that's desired).  As usual, the password with a plain-text-password-value willl still show up as a hash by Junos.  However, it's recommended to use encrypted-password over clear-text password for better security. 
     
    $ cat jnprpass.conf.j2
     
    system {
      root-authentication {
        plain-text-password-value "{{ clear_text_password }}";
      }
    }
    system {
      root-authentication {
        encrypted-password "{{ admin_password_hashed }}";
      }
    }

    The YAML data used for the vars file could be used simply as follows.  Or even store passwords in a vault protected file.
     
    $ ansible-vault create vault-variables.yaml
    New Vault password:
    Confirm New Vault password:
    $ ansible-vault edit vault-variables.yaml
    clear_text_password: Juniper
    admin_password_hashed: "$1$fv3Ke4LT$10nlsy3SEJy5ainm.kPTd."
    $ cat vault-variables.yaml
    $ANSIBLE_VAULT;1.1;AES256
    31643065623237653038393365656434353432303535363035323635633866653563396637313533
    3635623033323935383865616361663632666435313466630a643563653263316162623737616533
    37643533646264333364313630306237366635626161353030616332646264376332636239343830
    6630663761393637650a323461663035666262353762613035386562353964303731343533656266
    65643766303832613537386433313661396635373732396462336537333861653038633963613031
    39643638636433653435386330313131613937363364306263316263666533373464316663656665
    35333037326465643162393965376530393837633334613565306466663630323861366538366235
    61613039353131383736333665663134643731343433333062366335613035663165313430356232
    6632






    ------------------------------
    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).
    ------------------------------



  • 3.  RE: Ansible and Changing Passwords

    Posted 12-15-2020 16:26
    Thank you so much!  I was missing the "value" at the end of "plain-text-password".  Is "plain-text-password-value" documented anywhere?