Create user with option --disabled-password by Ansible

Since Ansible 2.6 the user module has the option password_lock, which will run usermod -L (Linux), pw lock (FreeBSD), or usermod -C (?):

usermod -L:

Lock a user's password. This puts a '!' in front of the encrypted password, effectively disabling the password.

pw lock:

The pw utility supports a simple password locking mechanism for users; it works by prepending the string *LOCKED* to the beginning of the password field in master.passwd to prevent successful authentication.

So you could use:

- name: Create password locked user
  user:
    name: myuser
    state: present
    password_lock: yes

user module use useradd command under the hood.
If you omit password parameter for user module, ansible calls useradd without -p flag.
Man page of useradd states:

-p, --password PASSWORD
The encrypted password, as returned by crypt(3). The default is to disable the password.

This is exactly what is needed by OP.

Comparison of adduser --disabled-password test1 and - user: name=test2 state=present:

# grep test /etc/shadow
test1:*:17031:0:99999:7:::
test2:!:17031:0:99999:7:::
# passwd -S test1
test1 L 08/18/2016 0 99999 7 -1
# passwd -S test2
test2 L 08/18/2016 0 99999 7 -1

As you see in both cases passwords are locked.

Create user with option --disabled-password by Ansible

Tags:

Passwords

Ubuntu

Ansible

Related

Recent Posts