Ansible Role login

This role creates users, adds them to additional groups, and sets their SSH authorized_keys to allow them to login to the system. Aditionally, a group can be added to the sudoers for password-less sudo access. It also sets the system-wide password-aging policy and default umask in /etc/login.defs.

IMPORTANT:

  • The default behavior of this role is that it distributes SSH keys that it knows from the host/group variables and deletes any other keys that already exist on the target system in .ssh/authorized_keys. This might break things. Set remove_other_sshd_authorized_keys accordingly.

Available since LFOps 2.0.0.

How the Role Behaves

The role sets a few policy keys in /etc/login.defs (PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE, UMASK) in place, leaving the rest of the distribution-provided file untouched. These settings apply to newly created accounts and the next password change only; the role does not retroactively re-age existing accounts (it does not run chage). Adjust an existing account’s aging manually with chage if needed.

Requirements

Manual steps:

  • Install the passlib Python module on the Ansible Controller (dnf install python3-passlib on Fedora). If you use the LFOps Execution Environment, this is already done for you.

Tags

login

  • Manages users, their groups and SSH authorized_keys.

  • Triggers: none.

login:authorized_keys

  • Manages SSH authorized_keys.

  • Triggers: none.

login:login_defs

  • Sets the password-aging policy and default umask in /etc/login.defs.

  • Triggers: none.

Optional Role Variables

login__login_defs_pass_max_days

  • Maximum number of days a password is valid (PASS_MAX_DAYS). Use a value below 99999 to satisfy the policy.

  • Type: Number.

  • Default: 365

login__login_defs_pass_min_days

  • Minimum number of days between password changes (PASS_MIN_DAYS).

  • Type: Number.

  • Default: 1

login__login_defs_pass_warn_age

  • Number of days a user is warned before the password expires (PASS_WARN_AGE).

  • Type: Number.

  • Default: 7

login__login_defs_umask

  • Default umask for user login sessions (UMASK).

  • Type: String.

  • Default: '027'

login__passwordless_sudo_group

  • The group which should be added to the sudoers for password-less sudo access.

  • Type: String.

  • Default: ''

login__users__host_var / login__users__group_var

  • A list of the users to be created or deleted.

  • Subkeys:

    • additional_groups:

      • Optional. Additional groups the user account should be in.

      • Type: List.

      • Default: []

    • create_home:

      • Optional. Unless set to false, a home directory will be made for the user when the account is created or if the home directory does not exist.

      • Type: Bool.

      • Default: true

    • home:

      • Optional. The home directory for the user.

      • Type: String.

      • Default: the OS default

    • linger:

      • Optional. Enable lingering of the account, analogous to loginctl enable/disable-linger.

      • Type: Bool.

      • Default: false

    • name:

      • Mandatory. The name of the user account.

      • Type: String.

    • password:

      • Optional. The password of the user.

      • Type: String.

    • primary_group:

      • Optional. The name of the primary group. If omitted, the primary group name will be the same as the username. If this primary group exists via a central authentication method e.g. FreeIPA, the primary group will default to users.

      • Type: String.

    • remove_other_sshd_authorized_keys:

      • Optional. Whether to remove all other non-specified keys from the authorized_keys file.

      • Type: Bool.

      • Default: false

    • shell:

      • Optional. Shell for the user account.

      • Type: String.

      • Default: '/bin/bash'

    • sshd_authorized_keys:

      • Optional. List of sshd authorized_keys for the user account.

      • Type: List.

      • Default: []

    • state:

      • Optional. The state of the user account. Possible options: present, absent.

      • Type: String.

      • Default: 'present'

    • system:

      • Optional. If this is a system account or not. Usually system accounts are used for running applications.

      • Type: Bool.

      • Default: false

  • For the usage in host_vars / group_vars (can only be used in one group at a time).

  • Type: List of dictionaries.

  • Default: []

Example:

# optional
login__passwordless_sudo_group: 'linuxfabrik'
login__users__host_var:
  - name: 'test'
    password: 'linuxfabrik'
    home: '/home/test'
    create_home: true
    shell: '/bin/bash'
    linger: true
    primary_group: 'testgroup'
    additional_groups:
      - 'wheel'
      - '{{ login__passwordless_sudo_group }}'
    sshd_authorized_keys:
      - 'ssh-ed25519 M4wt6qfbtyAaBnhSJDzoQEAOwiQM7k9lTvhYhNHJ7i6ciWH9uXJlbpbDF4Wv5lSr8t1maY test@example.com'
    remove_other_sshd_authorized_keys: true
    state: 'present'
    system: false
  - name: 'github-runner'
    home: '/opt/github-runner'
    state: 'present'
    system: true
login__users__group_var: []

Troubleshooting

[DEPRECATION WARNING]: Encryption using the Python crypt module is deprecated. The Python crypt module is deprecated and will be removed from Python 3.13. Install the passlib library for continued encryption functionality. This feature will be removed in version 2.17.: Make sure to install the passlib Python module on the Ansible Controller (dnf install python3-passlib on Fedora).

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich