Issue with password hash in user module when passing ByVal ???

12 views
Skip to first unread message

Greg Pirker

unread,
Sep 11, 2019, 7:58:01 AM9/11/19
to Ansible Development

If I create a password hash using the following playbook and role:

 

PLAYBOOK:

 

- hosts: localhost

 

  tasks:

 

  - name: Call encrypt password role

    include_role:

      name: encrypt_password

    vars:

       oracle_passwd: "{{survey_password}}"

 

ENCRYPT_PASSWORD ROLE:

 

- debug:

    msg: "{{oracle_passwd}}"

 

- name: Encrypt oracle_passwd

  set_fact:

    encrypted_passwd: "{{ '{{oracle_passwd}}' | password_hash('sha512') }}"

 

- debug:

    msg: "{{encrypted_passwd}}"

 

- name: Change passwd for ansible

  become: true

  user:

    name: ansible

    password: "{{encrypted_passwd}}"

    update_password: always

    state: present

 

and call it via the following:

ansible-playbook encrypt_password.yml -v -e oracle_passwd=Password123

 

 

I get the following as output:

PLAY [localhost] ************************************************************************************************************************************************************************************************************************************************************************************************************

 

TASK [Gathering Facts] ******************************************************************************************************************************************************************************************************************************************************************************************************

ok: [localhost]

 

TASK [Call encrypt password role] *******************************************************************************************************************************************************************************************************************************************************************************************

 

TASK [encrypt_password : debug] *********************************************************************************************************************************************************************************************************************************************************************************************

ok: [localhost] => {

    "msg": "Password123"

}

 

TASK [encrypt_password : Encrypt oracle_passwd] *****************************************************************************************************************************************************************************************************************************************************************************

ok: [localhost] => {"ansible_facts": {"encrypted_passwd": "$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/"}, "changed": false}

 

TASK [encrypt_password : debug] *********************************************************************************************************************************************************************************************************************************************************************************************

ok: [localhost] => {

    "msg": "$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/"

}

 

TASK [encrypt_password : Change passwd for ansible] *************************************************************************************************************************************************************************************************************************************************************************

changed: [localhost] => {"append": false, "changed": true, "comment": "", "group": 1002, "home": "/home/ansible", "move_home": false, "name": "ansible", "password": "NOT_LOGGING_PASSWORD", "shell": "/bin/bash", "state": "present", "uid": 1001}

 

PLAY RECAP ******************************************************************************************************************************************************************************************************************************************************************************************************************

localhost                  : ok=5    changed=1    unreachable=0    failed=0     

 

 

When I look in the shadow file the hash is the same as the hash returned in Encrypt oracle_passwd:

 

[root@a-31be403l6wu0y home]# egrep ansible /etc/shadow

ansible:$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/:18148:0:99999:7:::

 

But the password I specified on the command line does not work when I try to login using su.



I see the same behavior if I change the passsword hash generation to come from a library I wrote real quick:


from ansible.module_utils.basic import *

import crypt

 

def main():

 

    fields = {

        "plain_text_passwd": {"required": True, "type": "str"}

    }

 

    module = AnsibleModule(argument_spec=fields)

    passwd = crypt.crypt("(oracle_passwd)", crypt.mksalt(crypt.METHOD_SHA512)) 

    module.exit_json(changed=True, passwd=passwd)

 

if __name__ == "__main__":

    main()


And call it in the playbook:


- name: Set encrypted_password for user module using library

  encrypt_password:

    plain_text_passwd: "{{ plain_text_passwd }}"

  register: encrypted_passwd

  no_log: True

 

- debug:

   msg: "{{encrypted_passwd.passwd}}"

 

- name: Change passwd for ansible

  become: true

  user:

    name: ansible

    password: "{{ encrypted_passwd.passwd }}" 

 


What's  goofy is if I take out the derived password hash ByVal and use a pre-derived hash from the command line in the ansible user command, it works perfectly.  It also works if I shell out and make a python call and use the password hash as stdout (the same python call in the library above.)

 


Has anyone seen this before?

Reply all
Reply to author
Forward
0 new messages