If I create a password hash using the following playbook and role:
*PLAYBOOK:*
- hosts: localhost
tasks:
- name: Call encrypt password role
include_role:
name: encrypt_password
vars:
oracle_passwd: "{{survey_password}}"
*ENCRYPT_PASSWORD ROLE:*
- debug:
msg: "{{oracle_passwd}}"
- name: Encrypt oracle_passwd
set_fact:
encrypted_passwd: "{{ '{{oracle_passwd}}' | password_hash('sha512') }}"
- debug:
msg: "{{encrypted_passwd}}"
- name: Change passwd for ansible
become: true
user:
name: ansible
password: "{{encrypted_passwd}}"
update_password: always
state: present
and call it via the following:
ansible-playbook encrypt_password.yml -v -e oracle_passwd=Password123
I get the following as output:
PLAY [localhost]
************************************************************************************************************************************************************************************************************************************************************************************************************
TASK [Gathering Facts]
******************************************************************************************************************************************************************************************************************************************************************************************************
ok: [localhost]
TASK [Call encrypt password role]
*******************************************************************************************************************************************************************************************************************************************************************************************
TASK [encrypt_password : debug]
*********************************************************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => {
"msg": "Password123"
}
TASK [encrypt_password : Encrypt oracle_passwd]
*****************************************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => {"ansible_facts": {"encrypted_passwd":
"$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/"},
"changed": false}
TASK [encrypt_password : debug]
*********************************************************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => {
"msg":
"$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/"
}
TASK [encrypt_password : Change passwd for ansible]
*************************************************************************************************************************************************************************************************************************************************************************
changed: [localhost] => {"append": false, "changed": true, "comment": "",
"group": 1002, "home": "/home/ansible", "move_home": false, "name":
"ansible", "password": "NOT_LOGGING_PASSWORD", "shell": "/bin/bash",
"state": "present", "uid": 1001}
PLAY RECAP
******************************************************************************************************************************************************************************************************************************************************************************************************************
localhost : ok=5 changed=1 unreachable=0
failed=0
When I look in the shadow file the hash is the same as the hash returned in
Encrypt
oracle_passwd:
[root@a-31be403l6wu0y home]# egrep ansible /etc/shadow
ansible:$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/:18148:0:99999:7:::
But the password I specified on the command line does not work when I try
to login using su.
I see the same behavior if I change the passsword hash generation to come
from a library I wrote real quick:
from ansible.module_utils.basic import *
import crypt
def main():
fields = {
"plain_text_passwd": {"required": True, "type": "str"}
}
module = AnsibleModule(argument_spec=fields)
passwd = crypt.crypt("(oracle_passwd)",
crypt.mksalt(crypt.METHOD_SHA512))
module.exit_json(changed=True, passwd=passwd)
if __name__ == "__main__":
main()
And call it in the playbook:
- name: Set encrypted_password for user module using library
encrypt_password:
plain_text_passwd: "{{ plain_text_passwd }}"
register: encrypted_passwd
no_log: True
- debug:
msg: "{{encrypted_passwd.passwd}}"
- name: Change passwd for ansible
become: true
user:
name: ansible
password: "{{ encrypted_passwd.passwd }}"
What's goofy is if I take out the derived password hash ByVal and use a
pre-derived hash from the command line in the ansible user command, it
works perfectly. It also works if I shell out and make a python call and
use the password hash as stdout (the same python call in the library above.)
Has anyone seen this before?
--
You received this message because you are subscribed to the Google Groups
"Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-devel+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-devel/eca8aca6-144d-4ccf-8133-355ecae8f23a%40googlegroups.com.
