Not sure I'm going to answer your question but I'd recommend that you use the highest level of password encryption your version of unix supports. On modern Linux boxes this is SHA512. I'm not sure about AIX. I don't *believe* openssl passwd allows you to generate SHA512 encrypted passwords. I use the python library passlib [1] for this. Easy enough to do:
from passlib.hash import sha512_crypt hash = sha512_crypt.encrypt(password, rounds=5000) print hash You can easily generate the correct format for AIX too. [1] http://pythonhosted.org/passlib/ Romeo On Mon, Jan 6, 2014 at 1:33 PM, Adam Morris <[email protected]> wrote: > I'm now looking at the user module and struggling with the use of > encrypted passwords... > > Not that we can't store encrypted passwords, just the way that Linux and > AIX store encrypted passwords are different. > > Running 'openssl passwd -salt saltsalt -1 password' gives me the following > string > > $1$saltsalt$qjXMvbEw8oaL.CzflDtaK/ > > Linux will use this string as it stands as the encrypted password, AIX > uses a slightly different format for MD5 passwords > > {smd5}saltsalt$qjXMvbEw8oaL.CzflDtaK/ > > Given that I have a mix of AIX and Linux hosts to deal with what would be > a better way of dealing with the creation of local accounts for the system > administrators? > > 1) Modify the user module to accept Linux format encrpyted passwords and > then change them to the appropriate AIX format (this could work for $1$, > $2a$, $5$ and $6$) > 2) Store the passwords and salts without the headers and add the > appropriate header using variables (I'm thinking something like {{ > os_password_header }}{{ headerless_password }}. This would assume a single > password hash type for all passwords) > 3) Store passwords in their native formats for each OS (becomes much > bulkier in the variables files but will work) > > Personally I like 2) for simplicity (No changes to Ansible required), but > can see a minor advantage to 1). 3) seems to be the least elegant method. > > What are other peoples thoughts? > > Adam > > p.s. wait until I start trying to get this to work on our few Solaris, > HP-UX and I5-OS servers... particularly the latter. > > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Romeo -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
