If I create a password hash using the following playbook and role:
*PLAYBOOK:* - hosts: localhost tasks: - name: Call encrypt password role include_role: name: encrypt_password vars: oracle_passwd: "{{survey_password}}" *ENCRYPT_PASSWORD ROLE:* - debug: msg: "{{oracle_passwd}}" - name: Encrypt oracle_passwd set_fact: encrypted_passwd: "{{ '{{oracle_passwd}}' | password_hash('sha512') }}" - debug: msg: "{{encrypted_passwd}}" - name: Change passwd for ansible become: true user: name: ansible password: "{{encrypted_passwd}}" update_password: always state: present and call it via the following: ansible-playbook encrypt_password.yml -v -e oracle_passwd=Password123 I get the following as output: PLAY [localhost] ************************************************************************************************************************************************************************************************************************************************************************************************************ TASK [Gathering Facts] ****************************************************************************************************************************************************************************************************************************************************************************************************** ok: [localhost] TASK [Call encrypt password role] ******************************************************************************************************************************************************************************************************************************************************************************************* TASK [encrypt_password : debug] ********************************************************************************************************************************************************************************************************************************************************************************************* ok: [localhost] => { "msg": "Password123" } TASK [encrypt_password : Encrypt oracle_passwd] ***************************************************************************************************************************************************************************************************************************************************************************** ok: [localhost] => {"ansible_facts": {"encrypted_passwd": "$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/"}, "changed": false} TASK [encrypt_password : debug] ********************************************************************************************************************************************************************************************************************************************************************************************* ok: [localhost] => { "msg": "$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/" } TASK [encrypt_password : Change passwd for ansible] ************************************************************************************************************************************************************************************************************************************************************************* changed: [localhost] => {"append": false, "changed": true, "comment": "", "group": 1002, "home": "/home/ansible", "move_home": false, "name": "ansible", "password": "NOT_LOGGING_PASSWORD", "shell": "/bin/bash", "state": "present", "uid": 1001} PLAY RECAP ****************************************************************************************************************************************************************************************************************************************************************************************************************** localhost : ok=5 changed=1 unreachable=0 failed=0 When I look in the shadow file the hash is the same as the hash returned in Encrypt oracle_passwd: [root@a-31be403l6wu0y home]# egrep ansible /etc/shadow ansible:$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/:18148:0:99999:7::: But the password I specified on the command line does not work when I try to login using su. I see the same behavior if I change the passsword hash generation to come from a library I wrote real quick: from ansible.module_utils.basic import * import crypt def main(): fields = { "plain_text_passwd": {"required": True, "type": "str"} } module = AnsibleModule(argument_spec=fields) passwd = crypt.crypt("(oracle_passwd)", crypt.mksalt(crypt.METHOD_SHA512)) module.exit_json(changed=True, passwd=passwd) if __name__ == "__main__": main() And call it in the playbook: - name: Set encrypted_password for user module using library encrypt_password: plain_text_passwd: "{{ plain_text_passwd }}" register: encrypted_passwd no_log: True - debug: msg: "{{encrypted_passwd.passwd}}" - name: Change passwd for ansible become: true user: name: ansible password: "{{ encrypted_passwd.passwd }}" What's goofy is if I take out the derived password hash ByVal and use a pre-derived hash from the command line in the ansible user command, it works perfectly. It also works if I shell out and make a python call and use the password hash as stdout (the same python call in the library above.) Has anyone seen this before? -- You received this message because you are subscribed to the Google Groups "Ansible Development" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/eca8aca6-144d-4ccf-8133-355ecae8f23a%40googlegroups.com.