Hello:
On Tue, Jul 2, 2019 at 9:36 PM 'Paul Shulz' via Ansible Project <
[email protected]> wrote:
> Wondering if anyone has tried this or is ansible just
> intentionally designed to to allow you to do it?
>
> Below is the normal output from creating a hash at the command line as an
> example of manually hashing a password.
>
> [root@ansiblehost ~]# python -c "from passlib.hash import sha512_crypt;
> import getpass; print sha512_crypt.encrypt(getpass.getpass())"
> Password:
>
> $6$rounds=656000$UoSnvgI/Fm7zVWSf$TIKHXTuCECLOy2EQiyvzQpx.X4bflE8le8FmUk7OLSEuIq9HoN0xnHnOWaUFm7x2MCEZsX0/WJ6FBuBc.Nfqi0
>
> I have tried a couple different ways in Ansible 2.8.1 trying to pull in
> the stdout with register: variable_name .
> Turns out the variable_name data was corrupted/changed with varying
> numbers of asterisk and even sometimes : which the plays complained of.
> Tried it directly injecting the initial password variable to pass in
> without using getpass and using getpass with expect scripts.
> Just thought it would be nice when I went to do root password change to
> take the new password from an input prompt: , pass it
> into a hash that could be captured in a variable to set the password in
> the next task without having to do the copy paste stuff.
>
> I pasted what was of interest in the debug between the hashing task and
> the variable being used in the update root password task.
> No combination of quoting in this case would change the results.
> (different password in this case)
>
> "warnings": ["The value {\'stderr_lines\': [], \'changed\': True, \'end\':
> \'2********19-********7-********2 ********9:48:53.428542\', \'stdout\':
> \'$6$rounds=656************************$6ZlH********TWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgih********kvMlkE9o9np/\',
> \'cmd\': \'python -c \\\\\'from passlib.hash import sha512_crypt; print
> sha512_crypt.encrypt(\\"rootletmein\\")\\\\\'\', \'rc\': ********,
> \'failed\': False, \'stderr\': \'\', \'delta\':
> \'********:****************:****************.578785\', \'stdout_lines\':
> [\'$6$rounds=656************************$6ZlH********TWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgih********kvMlkE9o9np/\'],
> \'start\': \'2********19-********7-********2 ********9:48:52.849757\'}
> (type dict) in a string field was converted to
> u\'{\\\\\'stderr_lines\\\\\': [], \\\\\'changed\\\\\': True,
> \\\\\'end\\\\\': \\\\\'2********19-********7-********2
> ********9:48:53.428542\\\\\', \\\\\'stdout\\\\\':
> \\\\\'$6$rounds=656************************$6ZlH********TWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgih********kvMlkE9o9np/\\\\\',
> \\\\\'cmd\\\\\': \\\\\'python -c \\\\\\\\\\\\\'from passlib.hash import
> sha512_crypt; print
> sha512_crypt.encrypt(\\"rootletmein\\")\\\\\\\\\\\\\'\\\\\',
> \\\\\'rc\\\\\': ********, \\\\\'failed\\\\\': False, \\\\\'stderr\\\\\':
> \\\\\'\\\\\', \\\\\'delta\\\\\':
> \\\\\'********:****************:****************.578785\\\\\',
> \\\\\'stdout_lines\\\\\':
> [\\\\\'$6$rounds=656************************$6ZlH********TWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgih********kvMlkE9o9np/\\\\\'],
> \\\\\'start\\\\\': \\\\\'2********19-********7-********2
> ********9:48:52.849757\\\\\'}\' (type string). If this does not look like
> what you expect, quote the entire value to ensure it does not change.",
> "The input password appears not to have been hashed. The \'password\'
> argument must be encrypted for this module to work properly."], "failed":
> true, "rc": 1
>
>
> The simple ansible task
> - name: Update local Linux Account Password
> user:
> name: "{{account_being_changed}}"
> update_password: always
> password: "{{new_account_crypt_pw}}"
>
> Why don't you use something like this?
- name: Update local Linux Account Password
user:
name: "{{account_being_changed}}"
update_password: always
password: "{{ new_account_plaintext_pw | password_hash('sha512')}}"
Just make sure you define your new_account_plaintext_pw variable.
Optionally, you can also use python to generate your password (if you don't
like the suggested alternative):
- name: Generar passwords
local_action:
module: shell /usr/local/bin/mkcryptpass.sh {{ new_account_plaintext_pw
}}
register: passwd
- name: Update local Linux Account Password
user:
name: "{{ account_being_changed }}"
update_password: always
password: "{{ passwd.stdout }}"
/usr/local/bin/mkcryptpass.sh might look like this:
#!/bin/bash
PASSWD="$1"
salt=$(openssl rand -base64 12)
# $6$ --> SHA512
salt="\$6\$${salt}"
python -c "import crypt; print(crypt.crypt(\"$PASSWD\",\"$salt\"))"
Hope that helps
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAA3McK_4kT%2BSvNStEXRRwwtXTOQX0jV1yJiDqqC0tRVq3Ws9sA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
