首页 > 其他分享 >ansible 删除密码过期账户

ansible 删除密码过期账户

时间:2024-04-24 09:24:35浏览次数:23  
标签:changed ok users item 过期 etc 192.168 密码 ansible

hosts

[centos-root]
192.168.174.129 ansible_ssh_port=22 
192.168.174.130 ansible_ssh_port=22  
192.168.174.131 ansible_ssh_port=22  

Ansible Vault 文件

创建 Ansible Vault 文件

# ansible-vault create passwords.yml
New Vault password:                    # 12345678
Confirm New Vault password:

编辑 Ansible Vault 文件

# ansible-vault edit passwords.yml
Vault password:

passwords.yml

hosts_passwords:
  192.168.174.129:
    yunwei_password: yunwei_129
  192.168.174.130:
    yunwei_password: yunwei_130
  192.168.174.131:
    yunwei_password: yunwei_131

check_expir_user-playbook.yaml

- hosts: centos
  remote_user: yunwei
  become: yes
  become_method: sudo
  gather_facts: no
  vars_files:
    - passwords.yml
  vars:
    ansible_ssh_pass: "{{ hosts_passwords[inventory_hostname].yunwei_password }}"
    ansible_become_pass: "{{ hosts_passwords[inventory_hostname].yunwei_password }}"
    excluded_users: "root|yunwei|sreuser|wgs|autodevops"

  tasks:
    - name: chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
      ansible.builtin.shell:
        cmd: |
          chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile    

    - name: Get users with /bin/bash shell excluding specified users
      ansible.builtin.shell: |
        cmd: |
          awk -F: -v excluded="{{ excluded_users }}" '$7 == "/bin/bash" && !($1 ~ "^("excluded")$") {print $1}' /etc/passwd
      register: bash_users
      changed_when: false

    - name: Check if user passwords are expired and compile list of expired users
      ansible.builtin.shell: 
        cmd: |
          CURRENT_DATE=$(date +%Y-%m-%d)
          EXPIRY_DATE_STR=$(chage -l {{ item }} | grep 'Password expires' | cut -d: -f2 | xargs);
          # 检查每个用户的密码是否过期,转换日期格式后进行比较
          if [[ "$EXPIRY_DATE_STR" == "password must be changed" ]]; then
            echo "{{ item }}";
          fi
      loop: "{{ bash_users.stdout_lines }}"
      register: expired_users
      changed_when: false

    - name: Delete expired users
      ansible.builtin.user:
        name: "{{ item }}"
        state: absent
      loop: "{{ expired_users.results | selectattr('stdout', 'defined') | map(attribute='stdout') | list }}"
      when: expired_users.results | selectattr('stdout', 'defined') | list
      register: delete_users

    - name: Display removed users
      ansible.builtin.debug:
        msg: "Removed expired users: {{ delete_users.results | map(attribute='item') | list }}"
    
    - name: chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile
      ansible.builtin.shell:
        cmd: |
          chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile

测试 playbook

# ansible-playbook -i hosts check_expir_user-playbook.yaml --ask-vault-pass
Vault password: 

PLAY [centos] ******************************************************************************************************************************************************************

TASK [chattr -i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] *****************************************************************************
changed: [192.168.174.130]
changed: [192.168.174.131]
changed: [192.168.174.129]

TASK [Get users with /bin/bash shell excluding specified users] ****************************************************************************************************************
ok: [192.168.174.131]
ok: [192.168.174.129]
ok: [192.168.174.130]

TASK [Check if user passwords are expired and compile list of expired users] ***************************************************************************************************
ok: [192.168.174.130] => (item=user1)
ok: [192.168.174.131] => (item=user1)
ok: [192.168.174.129] => (item=user1)
ok: [192.168.174.131] => (item=user2)
ok: [192.168.174.130] => (item=user2)
ok: [192.168.174.129] => (item=user2)
ok: [192.168.174.131] => (item=user3)
ok: [192.168.174.130] => (item=user3)
ok: [192.168.174.129] => (item=user3)
ok: [192.168.174.131] => (item=user4)
ok: [192.168.174.129] => (item=user4)
ok: [192.168.174.130] => (item=user4)

TASK [Delete expired users] ****************************************************************************************************************************************************
changed: [192.168.174.130] => (item=user1)
changed: [192.168.174.129] => (item=user1)
changed: [192.168.174.131] => (item=user1)
changed: [192.168.174.129] => (item=user2)
changed: [192.168.174.130] => (item=user2)
changed: [192.168.174.131] => (item=user2)
changed: [192.168.174.129] => (item=user3)
changed: [192.168.174.131] => (item=user3)
changed: [192.168.174.130] => (item=user3)
changed: [192.168.174.131] => (item=user4)
changed: [192.168.174.129] => (item=user4)
changed: [192.168.174.130] => (item=user4)

TASK [Display removed users] ***************************************************************************************************************************************************
ok: [192.168.174.129] => {
    "msg": "Removed expired users: [u'user1', u'user2', u'user3', u'user4']"
}
ok: [192.168.174.130] => {
    "msg": "Removed expired users: [u'user1', u'user2', u'user3', u'user4']"
}
ok: [192.168.174.131] => {
    "msg": "Removed expired users: [u'user1', u'user2', u'user3', u'user4']"
}

TASK [chattr +i /etc/gshadow /etc/shadow /etc/group /etc/passwd /etc/ssh/sshd_config /etc/profile] *****************************************************************************
changed: [192.168.174.129]
changed: [192.168.174.131]
changed: [192.168.174.130]

PLAY RECAP *********************************************************************************************************************************************************************
192.168.174.129            : ok=6    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.174.130            : ok=6    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
192.168.174.131            : ok=6    changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0  

标签:changed,ok,users,item,过期,etc,192.168,密码,ansible
From: https://www.cnblogs.com/wangguishe/p/18153018

相关文章

  • Mysql 密码报错 You must reset your password ... 和 Your password does N
    如果MySQL数据库用户的密码设置过于简单,数据库在用户登录后会提示重置密码,并且不接受简单的密码。提示需要重置密码:ERROR1820(HY000):YoumustresetyourpasswordusingALTERUSERstatementbeforeexecutingthisstatement.Mysql数据库版本:5.7.1操作系统:CentOS7这......
  • 解锁化学密码:元素周期表可视化的魅力之旅
    你是否曾经被复杂的元素周期表所困扰,想要一窥化学世界的奥秘却又无从下手?如今,随着科技的进步,我们有了更直观、更生动的方式来探索这个神秘的领域。 元素周期表可视化,就是将传统的元素周期表以图形化的方式呈现出来。它不再是一张单调乏味的表格,而是一个充满活力、色彩斑斓的世......
  • oracle 修改密码不过期
    1.以sysdba身份进入sqlplus模式 2.查看用户密码的有效期设置一般默认的配置文件是DEFAULTSELECT*FROMdba_profilesWHEREprofile='DEFAULT'ANDresource_name='PASSWORD_LIFE_TIME';3.将密码有效期修改成“无限期”ALTERPROFILEDEFAULTLIMITPASSWORD_LIFE_TIM......
  • 基于数据库用户名和密码认证
    环境准备本次数据库我们选择MySQL5.7,新建一个boot_study库,建立一张登录用户表login_userCREATETABLE`login_user`(`id`int(11)NOTNULLAUTO_INCREMENT,`username`varchar(255)CHARACTERSETutf8COLLATEutf8_general_ciNOTNULL,`password`varchar(255)......
  • ACCESS 密码输入时,将输入法切换为英文状态
    细节问题,当在密码框内输入密码时,用户正在输入的密码,很容易就会被输入法给出卖了,如果旁边还有一些别有用心的人看着,那就不好了.如下图: 所以我们需要在激活密码框时,帮懒鬼用户把输入法切换成英文输入法.要实现这个功能,只需要把密码文本框的[输入法模式]设置为[关闭]......
  • 在Linux中,如何使用Jenkins和Ansible进行虚拟化环境的自动化和持续集成/持续部署(CI/CD)?
    在Linux中,使用Jenkins和Ansible进行虚拟化环境的自动化和持续集成/持续部署(CI/CD)是一个强大的组合,可以大大提高开发和部署的效率。下面将详细阐述如何配置和使用这两个工具来实现这一目标。1.Jenkins配置安装Jenkins你可以从Jenkins官网下载最新的安装包,或者使用包管理器(如a......
  • 深入了解PBKDF2:密码学中的关键推导函数
    title:深入了解PBKDF2:密码学中的关键推导函数date:2024/4/2020:37:35updated:2024/4/2020:37:35tags:密码学对称加密哈希函数KDFPBKDF2安全密钥派生第一章:密码学基础对称加密和哈希函数对称加密:对称加密是一种加密技术,使用相同的密钥进行加密和解密。常见......
  • Random 项目总结 -登录按钮 读取XML文件判断用户、密码是否正确
      一、登录按钮privatevoidbutton1_Click(objectsender,EventArgse){stringxmlpath=System.AppDomain.CurrentDomain.BaseDirectory+"setting.xml";XmlDocumentdocx=newXmlDocument();docx.Load(xmlpath);......
  • Random 项目总结 -设置按钮 设置数据库地址, 用户密码写入XML
    privatevoidbutton1_Click(objectsender,EventArgse){stringxmlpath=System.AppDomain.CurrentDomain.BaseDirectory+"setting.xml";XmlDocumentxmldoc=newXmlDocument();xmldoc.Load(xmlpath);......
  • 基于内存的用户名和密码认证
    代码实现从SpringSecurity官网文档可以看到,我们想要实现一个基于内存的用户名密码认证,需要编写配置,如下:在我们的项目中,建立如下项目结构:我们将SpringSecurity有关配置全部放置于Security包中。/***@author无涯子*@date2024/4/20*/@Configurationpublicclass......