Ansible Password Expiration: Manage User Account Aging & Policies
By Luca Berton · Published 2024-01-01 · Category: installation
How to manage password expiration with Ansible user module. Set expiry dates, maximum age, warning periods, and enforce password rotation policies.
How to set user password expiration time on Linux with Ansible? I'm going to show you a live Playbook with some simple Ansible code. I'm Luca Berton and welcome to today's episode of Ansible Pilot.
Ansible user password expiration • ansible.builtin.user • Manage user accounts
Today we're talking about the Ansible module user. The full name is ansible.builtin.user, which means that is part of the collection of modules "builtin" with ansible and shipped with it. It's a module pretty stable and out for years, it manages user accounts and supports a huge variety of Linux distributions. For Windows, use the ansible.windows.win_user module instead.
Linux password aging policy
This schema represents the Linux password aging policy. Let me highlight that the Ansible native module user is able to set only the min days -m and max days -M parameter. Max days set password policy for requesting password should be renewed, for example in every 90 days. Min days set the minimum days should be waiting for changing the password again, for example after 7 days from the last change. To disable password aging specify the value of 99999. For the other parameters, you need to rely on the chage command-line utility or via the Ansible shell module.
Parameters • name string - username • password_expire_min integer - Linux min days validity (-m) • password_expire_max integer - Linux max days validity (-M)
This module has many parameters to perform any task. The only required is "name", which is the username. In the password_expire_min parameter you specify the value of the min days validity. In the password_expire_max parameter you specify the value of the max days' validity. Please note that these parameters are Linux only.
## Playbook Set user password expiration time with Ansible Playbook.
Pleasee note: user module password_expiry_min bug and workaround.
code • user_expiration.yml
execution
before execution
after execution
Conclusion Now you know how to set user password expiration time on Linux with Ansible.
Set Password Expiry
Full Password Policy
Account Expiration (Not Password)
Force Password Change on Next Login
Check Password Status
Compliance Policy Playbook
PAM Password Quality
FAQ
password_expire_max vs expires?
password_expire_max controls how often the password must change. expires controls when the entire account becomes unusable — different things.
How do I exempt service accounts?
Does this work on all Linux distros?
Password aging uses /etc/shadow and chage, which work on all major Linux distributions.
Set Account Expiry Date
Calculate Expiry (90 Days)
Remove Expiry
Password Aging with chage
Force Password Change
Check Password Status
Bulk Password Policy
Policy Enforcement Playbook
Disable Expired Account
FAQ
expires takes Unix timestamp or date?
Unix timestamp (seconds since epoch). Calculate with: date -d "2025-06-01" +%s
Account expiry vs password expiry?
Account expiry (expires) locks the entire account. Password expiry (chage -M) forces password change but account stays active.
How to set global defaults?
Edit /etc/login.defs with PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE.
Related Articles • Ansible Become Guide • Ansible Inventory Guide • Ansible Roles Guide • Ansible for Windows Guide
Category: installation
Watch the video: Ansible Password Expiration: Manage User Account Aging & Policies — Video Tutorial