Create user with option --disabled-password by Ansible
Since Ansible 2.6 the user
module has the option password_lock
, which will run usermod -L
(Linux), pw lock
(FreeBSD), or usermod -C
(?):
usermod -L
:
Lock a user's password. This puts a '!' in front of the encrypted password, effectively disabling the password.
pw lock
:
The pw utility supports a simple password locking mechanism for users; it works by prepending the string
*LOCKED*
to the beginning of the password field in master.passwd to prevent successful authentication.
So you could use:
- name: Create password locked user
user:
name: myuser
state: present
password_lock: yes
user module use useradd
command under the hood.
If you omit password
parameter for user
module, ansible calls useradd
without -p
flag.
Man page of useradd states:
-p, --password PASSWORD
The encrypted password, as returned by crypt(3). The default is to disable the password.
This is exactly what is needed by OP.
Comparison of adduser --disabled-password test1
and - user: name=test2 state=present
:
# grep test /etc/shadow
test1:*:17031:0:99999:7:::
test2:!:17031:0:99999:7:::
# passwd -S test1
test1 L 08/18/2016 0 99999 7 -1
# passwd -S test2
test2 L 08/18/2016 0 99999 7 -1
As you see in both cases passwords are locked.