The solution I went with is not perfect, but pretty good... My
localaccounts task has two main user tasks in it (they take lists of users
and are identical apart from one aspect). The lists are provided with
Linux style password hashes.
The first section runs only on Linux hosts and takes the hash as is.
The second one runs only on aix and replaces password={{item.password}}
with password={{item.password | replace("$1$", "{smd5}") | replace("$5$",
"{ssha256}") | replace("$6$", "{ssha512}") }}
This replaces the linux style encryption identifier $[1|5|6]$ with the AIX
equivalent {s[md5|sha256|sha512]}
Adam
On Tuesday, January 7, 2014 12:10:43 PM UTC-8, Romeo Theriault wrote:
>
> On Tue, Jan 7, 2014 at 7:47 AM, Adam Morris <[email protected]<javascript:>
> > wrote:
>
>>
>>
>> On Monday, January 6, 2014 4:33:57 PM UTC-8, Romeo Theriault wrote:
>>>
>>> Not sure I'm going to answer your question but I'd recommend that you
>>> use the highest level of password encryption your version of unix supports.
>>> On modern Linux boxes this is SHA512. I'm not sure about AIX. I don't
>>> *believe* openssl passwd allows you to generate SHA512 encrypted passwords.
>>> I use the python library passlib [1] for this. Easy enough to do:
>>>
>>
>> Thanks Romeo, AIX can handle SMD5, SHA-256 and SHA-512... (plus blowfish
>> on the server I checked). so I could say that we should use SHA-512 going
>> forward. That still leaves me with the question as to how I handle them...
>> Do I store an AIX password and a Linux password for every user, do I munge
>> the passwords when I use them, or do I add a potentially ugly hack to
>> Ansible that would take care of the issue?
>>
>> I'm leaning towards the second option myself... It's not entirely clean,
>> but it does seem like a reasonable way to go.
>>
>
> If like you suggested AIX passwords just have something prepended to them
> I'd just store one SHA512 password and interpolate the needed prefix on the
> AIX boxes.
>
> --
> Romeo
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
