BestHub
Sign in
Operations 5 min read

Batch Resetting Root Passwords on Remote Servers Using Ansible

This guide demonstrates how to automate the quarterly rotation of root passwords across multiple Linux servers by configuring password‑less SSH, creating an Ansible playbook, testing it, and executing it with or without inventory‑based credentials.

Practical DevOps Architecture
Practical DevOps Architecture
Practical DevOps Architecture
Batch Resetting Root Passwords on Remote Servers Using Ansible

In many environments the root password must be changed every three months; doing this manually with shell scripts is cumbersome, so Ansible can be used to reset the root password on remote hosts in bulk.

Step 1: Verify connectivity – run an ad‑hoc command to ensure the servers respond:

[root@server ~]# ansible webservers -m shell -a "whoami"

The command returns root for each target host, confirming that Ansible can reach them.

Step 2: Write the playbook – create /opt/root_passwd.yaml with the following content:

---
- hosts: webservers
  gather_facts: false
  tasks:
    - name: change user passwd
      user:
        name: {{ item.name }}
        password: {{ item.chpass | password_hash('sha512') }}
        update_password: always
      with_items:
        - { name: 'root', chpass: '123' }

Step 3: Check the playbook syntax – run a dry‑run:

[root@server ~]# ansible-playbook -C /opt/root_passwd.yaml

After confirming the syntax, proceed to execution.

Step 4: Execute the playbook :

[root@server ~]# ansible-playbook /opt/root_passwd.yaml

The output shows the task changed on each host.

Step 5: Pass variables on the command line – you can supply the username and new password with -e :

[root@server ~]# ansible-playbook /opt/root_passwd.yaml -e "name=root chpass=123"

Note the warning about using a reserved variable name name , but the play runs and reports:

changed: [192.168.210.176] => (item={u'chpass': u'123', u'name': u'root'})
changed: [192.168.210.177] => (item={u'chpass': u'123', u'name': u'root'})

Method 2: Use inventory‑based SSH credentials – if the Ansible control node does not have password‑less SSH, add the user and password directly in /etc/ansible/hosts :

192.168.210.85 ansible_ssh_user=root ansible_ssh_pass=123 ansible_ssh_port=22
192.168.210.177 ansible_ssh_user=root ansible_ssh_pass=123 ansible_ssh_port=22

Then run an ad‑hoc command, for example:

[root@web ~]# ansible web -m shell -a "ifconfig|grep ens33"

The command returns the network interface details for each host, confirming successful authentication.

These two approaches allow you to automate periodic root password rotation across a fleet of servers using Ansible.

********** When you feel your talent cannot sustain your ambition, take a moment to study quietly! **********

↓↓ Click "Read Original" to join the DevOps Operations Group.

Related articles: Ansible Configuration and Server Batch Distribution (Part 1)

Ansible Configuration and Server Batch Distribution (Part 2)

operationsDevOpsPassword ManagementAnsibleServer Automation
Practical DevOps Architecture
Written by

Practical DevOps Architecture

Hands‑on DevOps operations using Docker, K8s, Jenkins, and Ansible—empowering ops professionals to grow together through sharing, discussion, knowledge consolidation, and continuous improvement.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment