If you’re using the Ansible user module for user management on a Linux or Unix system, an encrypted password is required for setting password for a user without using prompt. On macOS systems, the value of password parameter value has to be cleartext. This guide will demonstrate how to generate a Linux user encrypted password for use with Ansible user module.

There are various ways of generating a hashed user password on a Linux system. One of the methods is using python, and the other involves use of mkpasswd command line utility, and many others.

Generate encrypted password with Python3

To generate the hash, you must have the python3 package on your system. The following commands can be used to install the package depending on your operating system.

--- CentOS ---
$ sudo yum -y install epel-release
$ sudo yum install python3

--- Ubuntu / Debian ---
sudo apt update
sudo apt install python3

To generate the hash, use a command such as this:

python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

It will ask you to enter and confirm password:


You will then use encrypted password printed as value to password parameter when using the user python module.

Generate encrypted password with Python2

If using Python2, e.g CentOS 7 server, first install pip.

sudo yum -y install python-pip

Then ensure that the Passlib password hashing library is installed:

sudo pip install passlib

Generate encrypted password with the command:

 python -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

Same output as before:


Generate encrypted password using mkpasswd

You can also use the mkpasswd utility that is available on most Linux systems to generate a hashed password.

Install mkpasswd:

--- Ubuntu / Debian ---
$ sudo apt updatee
$ sudo apt install mkpasswd

--- CentOS / Fedora ---
sudo yum install expect

Generate password:

$ mkpasswd --method=sha-512

Testing Encrypted password generated

We can create a user with the encrypted password and confirm we can login with the password generated.

$ python3 -c 'import crypt,getpass;pw=getpass.getpass();print(crypt.crypt(pw) if (pw==getpass.getpass("Confirm: ")) else exit())'

Create user creation playbook.

$ vim user_create.yml


- name: Create demo user
  hosts: localhost
  become: yes
  become_method: sudo
    - username: demo
      password: $6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.
    - name: Create user demo
          name: "{{ item.username }}"
          shell: /bin/bash
          createhome: yes
          group: wheel
          generate_ssh_key: yes
          ssh_key_bits: 2048
          password: "{{ item.password }}"
          update_password: always
      with_items: "{{ users }}"

Execute playbook to create the user.

$ ansible-playbook user_create.yml --user=jkmutai --ask-pass --ask-become-pass 
SSH password: 
BECOME password[defaults to SSH password]: 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Create demo user] ********************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************
ok: [localhost]

TASK [Create user demo] ********************************************************************************************************************************
changed: [localhost] => (item={'username': 'demo', 'password': '$6$pTpaEDHweswcO86u$MuAiSx/iHxmV2jSvmNzXQYIz1lYIMCeP5KtmZQnx6mgJVfweP6oC8nMQQ9QeLc821YV50fh6yMzOjUCxY0lIq.'})

PLAY RECAP *********************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Confirm user has been created.

$ getent passwd demo 

Switch to user to confirm encrypted password is working.

$ su - demo

Welcome to Fedora Silverblue. This terminal is running on the
host system. You may want to try out the Toolbox for a directly
mutable environment that allows package installation with DNF.

For more information, see the documentation.

[[email protected] ~]$ 

Delete user:

$ sudo userdel -r demo
$ id demo           
id: ‘demo’: no such user

That’s all on how to generate an encrypted Linux user’s password for Ansible.

Ansible Learning courses:

More on Ansible:

Best Books To learn Docker and Ansible Automation

Run Ansible Playbook with Vagrant up

Deploy Kubernetes Cluster on CentOS 7 / CentOS 8 With Ansible and Calico CNI

Ansible Vault Cheat Sheet / Reference guide

How to automate simple repetitive tasks using Ansible

Deploy Production Ready Kubernetes Cluster with Ansible & Kubespray

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.



Please enter your comment!
Please enter your name here