How to generate Linux user encrypted password for Ansible

You can download this article in PDF format to support us through the following link.

Download the guide as a PDF

turn off


If you are using Ansible user module For user management on Linux or Unix systems, encrypted passwords are required when setting passwords for users without prompting. On macOS systems, the password parameter value must be in clear text. This guide will demonstrate how to generate a Linux user encrypted password for use with Ansible User Module.

On Linux systems, there are multiple methods for generating hashed user passwords. One way is to use python, Another involves using mkpasswd Command line utilities, etc.

Use Python3 to generate encrypted passwords

To generate a hash, you must have python3 Package on your system. Depending on your operating system, you can use the following command to install the software package.

--- CentOS ---
$ sudo yum -y install epel-release
$ sudo yum install python3

--- Ubuntu / Debian ---
sudo apt update
sudo apt install python3

To generate a hash, use the following command:

python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

It will ask you to enter and confirm the password:


Then, when using the user python module, you will use the encrypted password printed as the password parameter value.

Generate encrypted password using Python2

If you are using Python 2, such as a CentOS 7 server, please install pip first.

sudo yum -y install python-pip

Then make sure Pass The password hash library is installed:

sudo pip install passlib

Use the following command to generate an encrypted password:

 python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

Same output as before:


Use mkpasswd to generate encrypted passwords

You can also use the mkpasswd utility available on most Linux systems to generate hashed passwords.

Install mkpasswd:

--- Ubuntu / Debian ---
$ sudo apt updatee
$ sudo apt install mkpasswd

--- CentOS / Fedora ---
sudo yum install expect

Generate password:

$ mkpasswd --method=sha-512

Test the generated encrypted password

We can use encrypted passwords to create users and confirm that we can log in using the generated passwords.

$ python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

Create a user to create a script.

$ vim user_create.yml


- name: Create demo user
  hosts: localhost
  become: yes
  become_method: sudo
    - username: demo
      password: $6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.
    - name: Create user demo
          name: "{{ item.username }}"
          shell: /bin/bash
          createhome: yes
          group: wheel
          generate_ssh_key: yes
          ssh_key_bits: 2048
          password: "{{ item.password }}"
          update_password: always
      with_items: "{{ users }}"

Execute the script to create users.

$ ansible-playbook user_create.yml --user=jkmutai --ask-pass --ask-become-pass 
SSH password: 
BECOME password[defaults to SSH password]: 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Create demo user] ********************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************
ok: [localhost]

TASK [Create user demo] ********************************************************************************************************************************
changed: [localhost] => (item={'username': 'demo', 'password': '$6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.'})

PLAY RECAP *********************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Confirm that the user has been created.

$ getent passwd demo 

Switch to the user to confirm whether the encryption password is normal.

$ su - demo

Welcome to Fedora Silverblue. This terminal is running on the
host system. You may want to try out the Toolbox for a directly
mutable environment that allows package installation with DNF.

For more information, see the documentation.

[[email protected] ~]$ 

delete users:

$ sudo userdel -r demo
$ id demo           
id: ‘demo’: no such user

This is how to generate an encrypted Linux user password for Ansible.

More information about Ansible:

The best books to learn Docker and Ansible automation

Run Ansible Playbook as you like

Deploy Kubernetes cluster on CentOS 7 / CentOS 8 using Ansible and Calico CNI

Ansible Vault cheat sheet / reference guide

How to use Ansible to automate simple repetitive tasks

Use Ansible and Kubespray to deploy a ready-to-use Kubernetes cluster

You can download this article in PDF format to support us through the following link.

Download the guide as a PDF

turn off