Setting user password via ansible module user didn't work as expected
1,025 views
Skip to first unread message
Jörg Kastning
Jun 24, 2016, 10:06:22 AM6/24/16
to Ansible Project
Hello,
I'm very new to ansible. So, please bare with me if I ask some beginners questions.
I try to set a user password using the ansible ad-hoc mode with the user-module. To generate the password has I use the python command mentioned in the FAQ here. Using the python command to generate a password hash produces a hash like this:
This is a short version from the complete string. I try to set the password with the following command:
But when I lookup the has in /etc/shadow it looks like:
The following part of the hash string is missing:
And just now I figured out, that the python command generates a different has every time for the same password:
Unfortunately there is noavailable on my red hat system.
Could you explain how I could generate a password hash to use with the ansible user module, please?
Kind regards,
Joerg K.
I'm very new to ansible. So, please bare with me if I ask some beginners questions.
I try to set a user password using the ansible ad-hoc mode with the user-module. To generate the password has I use the python command mentioned in the FAQ here. Using the python command to generate a password hash produces a hash like this:
$6$rounds=100000$nu.kkTNOWqlbz.6T$JtYE/77zl9p...This is a short version from the complete string. I try to set the password with the following command:
ansible localhost -m user -a "name=johnd password='$6$rounds=100000$nu.kkTNOWqlbz.6T$JtYE/77zl9p...' state=present"
But when I lookup the has in /etc/shadow it looks like:
>grep 'johnd' /etc/shadow
johnd:=100000$nu.kkTNOWqlbz.6T$JtYE/77zl9p:16976:0:99999:7:::
The following part of the hash string is missing:
$6$rounds=
And just now I figured out, that the python command generates a different has every time for the same password:
root@hostname>python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
Password:
$6$rounds=100000$GQDbqHk4Y1bcLF8t$PjC0r5o.B75.buNFvcOhSp2SdB4zRTfVlbrQ2u7aN5W9L5h1UqOaGMHAYtR.QvmcmUF2vLGSfAR30fYwcvvzJ.
[2016.06.24 09:35:18] ~
root@hostname>python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
Password:
$6$rounds=100000$t57obQLCBDhu.0Hx$ffsDGXXLuAjCnl5Mv7wLoZuzcJqkw.wJ0NQn1/K9bP9hu4dH4gZmZQ0GXb.7lsBSmAOSeo26IJqNlGq90MALP0
[2016.06.24 09:35:27] ~
root@hostname>python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
Password:
$6$rounds=100000$yLMPFyCM2ZmftBaX$QP3uBV7WHUjrD2G0xO7VXIdILivE0Y1pgbLrlgRBicD3e7dRNSx1cCF1FEeOLzPLK.AuuSGVQESwpixlWj8o01
[2016.06.24 09:35:35] ~Unfortunately there is no
mkpasswd --method=SHA-512Could you explain how I could generate a password hash to use with the ansible user module, please?
Kind regards,
Joerg K.
Kai Stian Olstad
Jun 24, 2016, 11:41:26 AM6/24/16
to ansible...@googlegroups.com
On 24. juni 2016 09:43, Jörg Kastning wrote:
> This is a short version from the complete string. I try to set the password
> with the following command:
> ansible localhost -m user -a "name=johnd
> password='$6$rounds=100000$nu.kkTNOWqlbz.6T$JtYE/77zl9p...' state=present"
>
> But when I lookup the has in /etc/shadow it looks like:
>> grep 'johnd' /etc/shadow
> johnd:=100000$nu.kkTNOWqlbz.6T$JtYE/77zl9p:16976:0:99999:7:::
This is because shell expansion, the shell expand $6 and $rounds since
> This is a short version from the complete string. I try to set the password
> with the following command:
> ansible localhost -m user -a "name=johnd
> password='$6$rounds=100000$nu.kkTNOWqlbz.6T$JtYE/77zl9p...' state=present"
>
> But when I lookup the has in /etc/shadow it looks like:
>> grep 'johnd' /etc/shadow
> johnd:=100000$nu.kkTNOWqlbz.6T$JtYE/77zl9p:16976:0:99999:7:::
it sees them as variables.
Swap your quotes and it should work.
ansible localhost -m user -a 'name=johnd
password="$6$rounds=100000$nu.kkTNOWqlbz.6T$JtYE/77zl9p..." state=present'
> And just now I figured out, that the python command generates a different
> has every time for the same password:
> root@hostname>python -c "from passlib.hash import sha512_crypt; import
> getpass; print sha512_crypt.encrypt(getpass.getpass())"
> Password:
> $6$rounds=100000$GQDbqHk4Y1bcLF8t$PjC0r5o.B75.
> buNFvcOhSp2SdB4zRTfVlbrQ2u7aN5W9L5h1UqOaGMHAYtR.QvmcmUF2vLGSfAR30fYwcvvzJ.
> [2016.06.24 09:35:18] ~
> root@hostname>python -c "from passlib.hash import sha512_crypt; import
> getpass; print sha512_crypt.encrypt(getpass.getpass())"
> Password:
> $6$rounds=100000$t57obQLCBDhu.0Hx$ffsDGXXLuAjCnl5Mv7wLoZuzcJqkw.wJ0NQn1/
> K9bP9hu4dH4gZmZQ0GXb.7lsBSmAOSeo26IJqNlGq90MALP0
> [2016.06.24 09:35:27] ~
> root@hostname>python -c "from passlib.hash import sha512_crypt; import
> getpass; print sha512_crypt.encrypt(getpass.getpass())"
> Password:
> $6$rounds=100000
> $yLMPFyCM2ZmftBaX$QP3uBV7WHUjrD2G0xO7VXIdILivE0Y1pgbLrlgRBicD3e7dRNSx1cCF1FEeOLzPLK
> .AuuSGVQESwpixlWj8o01
random one. This is the reason the hashes is different with the same
password. The output format is $id$rounds$salt$hashed
--
Kai Stian Olstad
Jörg Kastning
Jul 12, 2016, 4:07:38 AM7/12/16
to Ansible Project, ansible-pr...@olstad.com
Hi,
Sorry for my late reply. You are right. Changing the quotes solved my problem.
Thanks a lot,
Joerg
Sorry for my late reply. You are right. Changing the quotes solved my problem.
Thanks a lot,
Joerg
Reply all
Reply to author
Forward
0 new messages