encrypted password hash question

100 views
Skip to first unread message

Rene Paquin

unread,
Dec 16, 2020, 2:56:52 PM12/16/20
to ansible...@googlegroups.com

Hi.  New ansible user here so just starting out.  My first experiment is to create a user with sudo privileges on an Oracle Linux 8 server in my test environment.  Here are the contents of the files in the /home/”user”/ansible/playbooks folder.  I think I am missing something as when I run the playbook it runs successfully.  I confirm that the account is created however when I attempt to ssh or login the attempt gets denied access. 

 

Any help is appreciated.

 

Thank you,

 

user_pass.yml  - encrypted using   “ansible-vault create user_pass.yml”  in group_vars folder

admin_group: wheel

password: #G00d4now

 

ansible.cfg

[defaults]

inventory = ./inventory

remote_user =  (local user with authorized keys)

[privilege_escalation]

become = true

become_method = sudo

become_user = root

 

inventory

[ol8]

qansibletest

 

create_users.yml

-  name: Create New Users

  hosts: all

  gather_facts: false

  tasks:

- name: Create User Task

      user:

        name: devops

        state: present

        password: "{{ 'password' | password_hash('sha512','A512') }}"

        shell: /bin/bash

        groups: "{{ admin_group }}"

        append: true

...

 

 

 

********************************
Rene Paquin - Systems Administrator
Wilfrid Laurier University
Waterloo, Ontario
(519)884-0710 x3795
rpa...@wlu.ca

 

Stefan Hornburg (Racke)

unread,
Dec 17, 2020, 3:14:04 AM12/17/20
to ansible...@googlegroups.com
On 12/16/20 8:56 PM, Rene Paquin wrote:
> Hi.  New ansible user here so just starting out.  My first experiment is to create a user with sudo privileges on an
> Oracle Linux 8 server in my test environment.  Here are the contents of the files in the /home/”user”/ansible/playbooks
> folder.  I think I am missing something as when I run the playbook it runs successfully.  I confirm that the account is
> created however when I attempt to ssh or login the attempt gets denied access. 
>
>  
>
> Any help is appreciated.
>
>  
>
> Thank you,
>
>  
>
> *user_pass.ym*l  - encrypted using   “ansible-vault create user_pass.yml”  in group_vars folder
>
> admin_group: wheel
>
> password: #G00d4now
>
>  
>
> *ansible.cfg*
>
> [defaults]
>
> inventory = ./inventory
>
> remote_user =  (local user with authorized keys)
>
> [privilege_escalation]
>
> become = true
>
> become_method = sudo
>
> become_user = root
>
>  
>
> *inventory*
>
> [ol8]
>
> qansibletest
>
>  
>
> *create_users.yml*
>
> -  name: Create New Users
>
>   hosts: all
>
>   gather_facts: false
>
>   tasks:
>
> - name: Create User Task
>
>       user:
>
>         name: devops
>
>         state: present
>
>         password: "{{ 'password' | password_hash('sha512','A512') }}"
>
>         shell: /bin/bash
>
>         groups: "{{ admin_group }}"
>
>         append: true
>
> ...
>
>

You are literally passing the string "passsword" instead of the value of the password
variable. Remove the quotes from 'password',

Regards
Racke
 
>
>  
>
>  
>
> ********************************
> Rene Paquin - Systems Administrator
> Wilfrid Laurier University
> Waterloo, Ontario
> (519)884-0710 x3795
> rpa...@wlu.ca <mailto:rpa...@wlu.ca>
>
>  
>
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/YTXPR0101MB1295AA2DBF8B42EDB8DCD249D8C50%40YTXPR0101MB1295.CANPRD01.PROD.OUTLOOK.COM
> <https://groups.google.com/d/msgid/ansible-project/YTXPR0101MB1295AA2DBF8B42EDB8DCD249D8C50%40YTXPR0101MB1295.CANPRD01.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.


--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.

OpenPGP_signature

Rene Paquin

unread,
Dec 17, 2020, 2:51:46 PM12/17/20
to ansible...@googlegroups.com
Further to this..

I found that when using this statement in the playbook it is not grabbing the variable in the group_vars/ol8 file but actually passing password as password despite the removal of quotes. Just wondering if I am missing to declare something?

password: "{{ password | password_hash('sha512', 'A512') }}"

Rene
> https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%
> 2fd%2fmsgid%2fansible-project%2fYTXPR0101MB1295AA2DBF8B42EDB8DCD249D8C
> 50%40YTXPR0101MB1295.CANPRD01.PROD.OUTLOOK.COM&c=E,1,UGzFjVFOYydfZh4-G
> SOX_xxknGYspdRhMbPs735mhe_mgi8iyHSJvL5_Er9qWfNmf9-wg5rUCYBf8shEOMvS3l7
> CCHkN3ry0ZzG-bXGuYu5c&typo=1
> <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fd%2fmsgid%2fansible-project%2fYTXPR0101MB1295AA2DBF8B42EDB8DCD249D8C50%40YTXPR0101MB1295.CANPRD01.PROD.OUTLOOK.COM%3futm_medium%3demail%26utm_source%3dfooter&c=E,1,REf0hyikO5Lj36aRFlEzrZIP2Or2zM5K7B0ejKPv_ZoI2K298Iio_lkAXSxHMAPAxFi4StvPIa6X5CiPpJGIesx38agbN9Ax53zEzHuJP-16OCKavcyF&typo=1>.


--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fgroups.google.com%2fd%2fmsgid%2fansible-project%2fc25e9a65-bab9-74f1-1914-a595ed877e20%40linuxia.de.&c=E,1,li22miLGrvEE1wI4s-eWkq0aiTeqCkNysKddCCsXACQiXEeUqdqYPwZrXWg1WzVRikAKeVZXwEP49G2F4b8c3V2TZubwlcLTvnkPmsBqNcsIn3sf-RE,&typo=1

Joseph Alexander

unread,
Dec 17, 2020, 3:05:16 PM12/17/20
to ansible...@googlegroups.com
I always find that behavior gets tricky when using key words as variables. Try changing password to pwd or passwd.

Rene Paquin

unread,
Dec 17, 2020, 3:25:52 PM12/17/20
to ansible...@googlegroups.com

Thanks for the suggestion.  This just leads to more….

 

When I use this 

password: "{{ passwrd | password_hash('sha512', 'A512') }}"  I get the following error:

 

TASK [Create Users Task] **********************************************************************************************

fatal: [qreneansible.wlu.ca]: FAILED! => {"msg": "Unexpected templating type error occurred on ({{ passwd | password_hash('sha512', 'A512') }}): crypt() argument 1 must be str, not None"}

 

PLAY RECAP ************************************************************************************************************

qreneansible.wlu.ca        : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

 

 

It seems that it cannot find the variable anywhere.  In the playbook file I did add the following but it still cant find it.  The file is encrypted as well. 

 

vars_files:

     - group_vars/ol8

 

Thanks again,

 

Rene

Joseph Alexander

unread,
Dec 17, 2020, 3:32:58 PM12/17/20
to ansible...@googlegroups.com
and of course you also set the new passwrd variable? Its not null or empty?

Rene Paquin

unread,
Dec 17, 2020, 3:37:32 PM12/17/20
to ansible...@googlegroups.com

I did.  The contents of the encrypted file are:

 

admin_group: wheel

passwrd: #G00d4now

Joseph Alexander

unread,
Dec 17, 2020, 3:44:01 PM12/17/20
to ansible...@googlegroups.com
try removing the # from the password and see if that makes a difference

Rene Paquin

unread,
Dec 18, 2020, 8:11:45 AM12/18/20
to ansible...@googlegroups.com

That did the trick.  Thank you very much.

Joseph Alexander

unread,
Dec 18, 2020, 9:33:53 AM12/18/20
to ansible...@googlegroups.com
Great. So it was interpreting your password as a comment. Glad it worked.

Regards,

Joe.

Reply all
Reply to author
Forward
0 new messages