Skip to main content
Unix & Linux

Return to Answer

Improved formatting; tweaked wording and punctuation.
Source Link
G-Man Says 'Reinstate Monica'
G-Man Says 'Reinstate Monica'
  • 24k
  • 29
  • 76
  • 130
  1. Run the play as your safe user.

    Run the play as your safe user.

    • Be sure to set gather_facts: no or or play will fail at this step with host unreachable error.
  2. With the first task, in order to check if the user already exists, you ping the server and ignore the host unreachable error:

    With the first task, in order to check if the user already exists, you ping the server and ignore the host unreachable error:

    - name: Check if safe user exists
  ansible.builtin.ping:
  register: result
  ignore_unreachable: true

  3. If the ping fails, using the default user you create the safe user, give it sudo rights and add SSH keys:

    - name: Handle the error (missing user)
  when: result.failed == true
  vars:
    ansible_ssh_user: "{{ default_user }}"
  block:
    - ansible.builtin.meta: clear_host_errors
    - name: Create safe user
      ansible.builtin.user:
        name: "{{ safe_user }}"
        password: "{{ password | password_hash('sha512') }}"
        groups:
          - sudo
          - users
        append: true
        shell: "{{ shell }}"
    - name: Add Authorized key
      ansible.posix.authorized_key:
        user: "{{ safe_user }}"
        key: "{{ ssh_pub_key }}"
        exclusive: true

  4. Now, the safe user should have SSH access and can delete the default user.

    - name: Remove default user
  ansible.builtin.user:
    name: "{{ default_user }}"
    state: absent

  5. The rest of the playbook can be run as the safe user.  The playbook can also be re-run later.  The ping will succeed and user creation will be skipped.

- name: Check if safe user exists
  ansible.builtin.ping:
  register: result
  ignore_unreachable: true
  1. If the ping fails, using the default user you create the safe user, give it sudo rights and add SSH keys:
- name: Handle the error (missing user)
  when: result.failed == true
  vars:
    ansible_ssh_user: "{{ default_user }}"
  block:
    - ansible.builtin.meta: clear_host_errors
    - name: Create safe user
      ansible.builtin.user:
        name: "{{ safe_user }}"
        password: "{{ password | password_hash('sha512') }}"
        groups:
          - sudo
          - users
        append: true
        shell: "{{ shell }}"
    - name: Add Authorized key
      ansible.posix.authorized_key:
        user: "{{ safe_user }}"
        key: "{{ ssh_pub_key }}"
        exclusive: true
  1. Now, the safe user should have SSH access and can delete the default user.
- name: Remove default user
  ansible.builtin.user:
    name: "{{ default_user }}"
    state: absent
  1. Rest of the playbook can be run as the safe user. Playbook can also be re-run later, the ping will succeed and user creation will be skipped
  1. Run the play as your safe user.
    • Be sure to set gather_facts: no or play will fail at this step with host unreachable error.
  2. With the first task, in order to check if the user already exists, you ping the server and ignore the host unreachable error:
- name: Check if safe user exists
  ansible.builtin.ping:
  register: result
  ignore_unreachable: true
  1. If the ping fails, using the default user you create the safe user, give it sudo rights and add SSH keys:
- name: Handle the error (missing user)
  when: result.failed == true
  vars:
    ansible_ssh_user: "{{ default_user }}"
  block:
    - ansible.builtin.meta: clear_host_errors
    - name: Create safe user
      ansible.builtin.user:
        name: "{{ safe_user }}"
        password: "{{ password | password_hash('sha512') }}"
        groups:
          - sudo
          - users
        append: true
        shell: "{{ shell }}"
    - name: Add Authorized key
      ansible.posix.authorized_key:
        user: "{{ safe_user }}"
        key: "{{ ssh_pub_key }}"
        exclusive: true
  1. Now, the safe user should have SSH access and can delete the default user.
- name: Remove default user
  ansible.builtin.user:
    name: "{{ default_user }}"
    state: absent
  1. Rest of the playbook can be run as the safe user. Playbook can also be re-run later, the ping will succeed and user creation will be skipped

  1. Run the play as your safe user.

    • Be sure to set gather_facts: no or play will fail at this step with host unreachable error.

  2. With the first task, in order to check if the user already exists, you ping the server and ignore the host unreachable error:

    - name: Check if safe user exists
  ansible.builtin.ping:
  register: result
  ignore_unreachable: true

  3. If the ping fails, using the default user you create the safe user, give it sudo rights and add SSH keys:

    - name: Handle the error (missing user)
  when: result.failed == true
  vars:
    ansible_ssh_user: "{{ default_user }}"
  block:
    - ansible.builtin.meta: clear_host_errors
    - name: Create safe user
      ansible.builtin.user:
        name: "{{ safe_user }}"
        password: "{{ password | password_hash('sha512') }}"
        groups:
          - sudo
          - users
        append: true
        shell: "{{ shell }}"
    - name: Add Authorized key
      ansible.posix.authorized_key:
        user: "{{ safe_user }}"
        key: "{{ ssh_pub_key }}"
        exclusive: true

  4. Now, the safe user should have SSH access and can delete the default user.

    - name: Remove default user
  ansible.builtin.user:
    name: "{{ default_user }}"
    state: absent

  5. The rest of the playbook can be run as the safe user.  The playbook can also be re-run later.  The ping will succeed and user creation will be skipped.

edited body
Source Link
Benton
Benton
  • 1
  • 2
  1. Run the play as your safe user.
    • Be sure to set gather_facts: no or play will fail at this step with host unreachable error.
  2. With the first task, in order to check if the user already exists, you ping the server and ignore the host unreachable error:
- name: Check if safe user exists
  ansible.builtin.ping:
  register: result
  ignore_unreachable: true
  1. If the ping fails, using the default user you create the safe user, give it sudo rights and add SSH keys:
- name: Handle the error (missing user)
  when: result.failed == true
  vars:
    ansible_ssh_user: "{{ default_user }}"
  block:
    - ansible.builtin.meta: clear_host_errors
    - name: Create safe user
      ansible.builtin.user:
        name: "{{ safe_user }}"
        password: "{{ password | password_hash('sha512') }}"
        groups:
          - sudo
          - users
        append: true
        shell: "{{ shell }}"
    - name: Add Authorized key
      ansible.posix.authorized_key:
        user: "{{ safe_user }}"
        key: "{{ ssh_pub_key }}"
        exclusive: true
  1. Now, the safe user should have SSH access and can delete the default user.
- name: Remove default user
  ansible.builtin.user:
    name: "{{ default_user }}"
    state: absent
  1. Rest of the playbook can be run as the safe user. Playbook can also be re-run later. The, the ping will succeed and user creation will be skipped
  1. Run the play as your safe user.
    • Be sure to set gather_facts: no or play will fail at this step with host unreachable error.
  2. With the first task, in order to check if the user already exists, you ping the server and ignore the host unreachable error:
- name: Check if safe user exists
  ansible.builtin.ping:
  register: result
  ignore_unreachable: true
  1. If the ping fails, using the default user you create the safe user, give it sudo rights and add SSH keys:
- name: Handle the error (missing user)
  when: result.failed == true
  vars:
    ansible_ssh_user: "{{ default_user }}"
  block:
    - ansible.builtin.meta: clear_host_errors
    - name: Create safe user
      ansible.builtin.user:
        name: "{{ safe_user }}"
        password: "{{ password | password_hash('sha512') }}"
        groups:
          - sudo
          - users
        append: true
        shell: "{{ shell }}"
    - name: Add Authorized key
      ansible.posix.authorized_key:
        user: "{{ safe_user }}"
        key: "{{ ssh_pub_key }}"
        exclusive: true
  1. Now, the safe user should have SSH access and can delete the default user.
- name: Remove default user
  ansible.builtin.user:
    name: "{{ default_user }}"
    state: absent
  1. Rest of the playbook can be run as the safe user. Playbook can also be re-run later. The ping will succeed and user creation will be skipped
  1. Run the play as your safe user.
    • Be sure to set gather_facts: no or play will fail at this step with host unreachable error.
  2. With the first task, in order to check if the user already exists, you ping the server and ignore the host unreachable error:
- name: Check if safe user exists
  ansible.builtin.ping:
  register: result
  ignore_unreachable: true
  1. If the ping fails, using the default user you create the safe user, give it sudo rights and add SSH keys:
- name: Handle the error (missing user)
  when: result.failed == true
  vars:
    ansible_ssh_user: "{{ default_user }}"
  block:
    - ansible.builtin.meta: clear_host_errors
    - name: Create safe user
      ansible.builtin.user:
        name: "{{ safe_user }}"
        password: "{{ password | password_hash('sha512') }}"
        groups:
          - sudo
          - users
        append: true
        shell: "{{ shell }}"
    - name: Add Authorized key
      ansible.posix.authorized_key:
        user: "{{ safe_user }}"
        key: "{{ ssh_pub_key }}"
        exclusive: true
  1. Now, the safe user should have SSH access and can delete the default user.
- name: Remove default user
  ansible.builtin.user:
    name: "{{ default_user }}"
    state: absent
  1. Rest of the playbook can be run as the safe user. Playbook can also be re-run later, the ping will succeed and user creation will be skipped
Source Link
Benton
Benton
  • 1
  • 2

  1. Run the play as your safe user.
    • Be sure to set gather_facts: no or play will fail at this step with host unreachable error.
  2. With the first task, in order to check if the user already exists, you ping the server and ignore the host unreachable error:
- name: Check if safe user exists
  ansible.builtin.ping:
  register: result
  ignore_unreachable: true
  1. If the ping fails, using the default user you create the safe user, give it sudo rights and add SSH keys:
- name: Handle the error (missing user)
  when: result.failed == true
  vars:
    ansible_ssh_user: "{{ default_user }}"
  block:
    - ansible.builtin.meta: clear_host_errors
    - name: Create safe user
      ansible.builtin.user:
        name: "{{ safe_user }}"
        password: "{{ password | password_hash('sha512') }}"
        groups:
          - sudo
          - users
        append: true
        shell: "{{ shell }}"
    - name: Add Authorized key
      ansible.posix.authorized_key:
        user: "{{ safe_user }}"
        key: "{{ ssh_pub_key }}"
        exclusive: true
  1. Now, the safe user should have SSH access and can delete the default user.
- name: Remove default user
  ansible.builtin.user:
    name: "{{ default_user }}"
    state: absent
  1. Rest of the playbook can be run as the safe user. Playbook can also be re-run later. The ping will succeed and user creation will be skipped