How to set user password expiration time on Linux with Ansible?

I’m going to show you a live Playbook with some simple Ansible code. I’m Luca Berton and welcome to today’s episode of Ansible Pilot.

Ansible user password expiration

  • ansible.builtin.user
  • Manage user accounts

Today we’re talking about the Ansible module user. The full name is ansible.builtin.user, which means that is part of the collection of modules “builtin” with ansible and shipped with it. It’s a module pretty stable and out for years, it manages user accounts and supports a huge variety of Linux distributions. For Windows, use the ansible.windows.win_user module instead.

Linux password aging policy

Linux password aging policy

This schema represents the Linux password aging policy. Let me highlight that the Ansible native module user is able to set only the min days -m and max days -M parameter. Max days set password policy for requesting password should be renewed, for example in every 90 days. Min days set the minimum days should be waiting for changing the password again, for example after 7 days from the last change. To disable password aging specify the value of 99999. For the other parameters, you need to rely on the chage command-line utility or via the Ansible shell module.

Parameters

  • name string - username
  • password_expire_min integer - Linux min days validity (-m)
  • password_expire_max integer - Linux max days validity (-M)

This module has many parameters to perform any task. The only required is “name”, which is the username. In the password_expire_min parameter you specify the value of the min days validity. In the password_expire_max parameter you specify the value of the max days’ validity. Please note that these parameters are Linux only.

Join 50+ hours of courses in our exclusive community

Playbook

Set user password expiration time with Ansible Playbook.

Pleasee note: user module password_expiry_min bug and workaround.

code

  • user_expiration.yml
---
- name: user module Playbook
  hosts: all
  become: true
  vars:
    myuser: "example"
  tasks:
    - name: password expiration
      ansible.builtin.user:
        name: "{{ myuser }}"
        password_expire_min: 7
        password_expire_max: 90

execution

$ ansible-playbook -i Playbook/inventory user\ expiration/user.yml

PLAY [user module Playbook] **********************************************************************************

TASK [Gathering Facts] ***********************************************************************************
ok: [demo.example.com]

TASK [password expiration] *******************************************************************************
changed: [demo.example.com]

PLAY RECAP ***********************************************************************************************
demo.example.com           : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

before execution


$ ssh [email protected]
Last login: Mon Nov  8 17:07:10 2021 from 192.168.43.5
[devops@demo ~]$ sudo su
[root@demo devops]# chage --help
Usage: chage [options] LOGIN

Options:
-d, --lastday LAST_DAY        set date of last password change to LAST_DAY
-E, --expiredate EXPIRE_DATE  set account expiration date to EXPIRE_DATE
-h, --help                    display this help message and exit
-I, --inactive INACTIVE       set password inactive after expiration
to INACTIVE
-l, --list                    show account aging information
-m, --mindays MIN_DAYS        set minimum number of days before password
change to MIN_DAYS
-M, --maxdays MAX_DAYS        set maximum number of days before password
change to MAX_DAYS
-R, --root CHROOT_DIR         directory to chroot into
-W, --warndays WARN_DAYS      set expiration warning days to WARN_DAYS

[root@demo devops]# chage -l example
Last password change     : Nov 08, 2021
Password expires     : never
Password inactive     : never
Account expires      : never
Minimum number of days between password change  : 0
Maximum number of days between password change  : 99999
Number of days of warning before password expires : 7

after execution

$ ssh [email protected]
Last login: Mon Nov  8 17:09:16 2021 from 192.168.43.5
[devops@demo ~]$ sudo su
[root@demo devops]# chage -l example
Last password change     : Nov 08, 2021
Password expires     : Feb 06, 2022
Password inactive     : never
Account expires      : never
Minimum number of days between password change  : 0
Maximum number of days between password change  : 90
Number of days of warning before password expires : 7
[root@demo devops]# passwd example
Changing password for user example.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@demo devops]# passwd example
Changing password for user example.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
[root@demo devops]# su - example
[example@Playbook ~]$ passwd
Changing password for user example.
Current password:
New password:
BAD PASSWORD: The password is shorter than 8 characters
passwd: Authentication token manipulation error

code with ❤️ in GitHub

Conclusion

Now you know how to set user password expiration time on Linux with Ansible. Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my Udemy 300+ Lessons Video Course.

BUY the Complete Udemy 300+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Want to keep this project going? Please donate

Patreon Buy me a Pizza