If you write a suitable task like the one below, you will not be able to log in to root and I couldn't do anything because I hadn't created another user. .. ..
ansible:2.9.3 Target node OS: CentOS 7.7
root_passwd_change.yml
---
- hosts: test
become: true
tasks:
- name: passwd change
user:
name: root
password: newpassword
When you do this,
[root@ansible test]# ansible-playbook -i host root_passwd_change.yml
PLAY [test] *********************************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.1.136]
TASK [passwd change] ***********************************************************
[WARNING]: The input password appears not to have been hashed. The 'password'
argument must be encrypted for this module to work properly.
changed: [192.168.1.136]
PLAY RECAP *********************************************************************
192.168.1.136 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.
I get angry at, but it looks like I was able to change it with the description of OK. But in reality If you use the expected password, you will not be able to ssh and you will not be able to log in from the console. Even if you run the playbook again, you will not be able to change it, so you will need to reset the password in rescue mode.
[root@ansible test]# ansible-playbook -i host root_passwd_change.yml
PLAY [test] *********************************************************************
TASK [Gathering Facts] *********************************************************
fatal: [192.168.1.136]: UNREACHABLE! => {"changed": false, "msg": "Invalid/incorrect password: Permission denied, please try again.", "unreachable": true}
PLAY RECAP *********************************************************************
192.168.1.136 : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.
This is because the password is written solidly without being hashed as angry at. You can change it as expected by writing as follows.
root_passwd_change.yml
---
- hosts: test
become: true
tasks:
- name: passwd change
user:
name: root
password: "{{ 'newpassword' | password_hash('sha512') }}"
I had to write it in hash as described in the document below.
https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#hashing-filters
When you do the above,
[root@ansible test]# ansible-playbook -i host root_passwd_change_fixed.yml
PLAY [test] *********************************************************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.1.136]
TASK [passwd change] ***********************************************************
changed: [192.168.1.136]
PLAY RECAP *********************************************************************
192.168.1.136 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
I was able to change it as I expected.