Ansible password_hash issue

[Bala Mutyam]

Hi Everyone,

I'm trying to create a task for below command but it's not working, can you help me how to make it work please?

Command:

update users set crypted_password = '$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null, hash_method='BCRYPT' where login = 'admin'

- name: Reset Admin pw
  become: yes
  become_user: postgres
  command: psql -c "update users set crypted_password = '{{ admin_password | password_hash('bcrypt') }}' where login = 'admin'" sonarqube
  tags: query

I'm successfully running the task but not able to login with the admin_password.

[Dick Visser]

You manual command has more arguments than the one in your task.
Try making that consistent.

If that doesn't work, try hardcoding the hash in your task to see if
that works at all.

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1d3e8db8-01b9-4363-a3aa-67e077f35b62%40googlegroups.com.



--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT

[Bala Mutyam]

Hi,

Thanks for the reply.  By hard coding the hash working fine. 

I'm trying to workout something like this but this is giving me an error.

- name: Reset Admin pw
  become: yes
  become_user: postgres
  command: psql -c "update users set crypted_password = '{{ admin_password | password_hash('bcrypt', salt=None) }}' where login = 'admin'" sonarqube
  tags: query

On Tuesday, March 10, 2020 at 2:13:28 PM UTC, Dick Visser wrote:

You manual command has more arguments than the one in your task.
Try making that consistent.

If that doesn't work, try hardcoding the hash in your task to see if
that works at all.




On Tue, 10 Mar 2020 at 13:21, Bala Mutyam <koti.r...@gmail.com> wrote:
>
> Hi Everyone,
>
> I'm trying to create a task for below command but it's not working, can you help me how to make it work please?
>
> Command:
>
> update users set crypted_password = '$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null, hash_method='BCRYPT' where login = 'admin'
>
> - name: Reset Admin pw
>   become: yes
>   become_user: postgres
>   command: psql -c "update users set crypted_password = '{{ admin_password | password_hash('bcrypt') }}' where login = 'admin'" sonarqube
>   tags: query
>
>
> I'm successfully running the task but not able to login with the admin_password.
>
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com.

[Dan Linder]

What is the error and what is sending the error?  (i.e. is the error from "psql" or from Ansible itself?)

Can you run the playbook with "-vvv" and paste in the errors the "Reset Admin pw" step produces.

[Stefan Hornburg (Racke)]

On 3/10/20 1:20 PM, Bala Mutyam wrote:
> Hi Everyone,
>
> I'm trying to create a task for below command but it's not working, can you help me how to make it work please?
>
> Command:
>
> |update users set crypted_password = '$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null,
> hash_method='BCRYPT' where login = 'admin'|
>
> - name: Reset Admin pw become: yes become_user: postgres command: psql -c "update users set crypted_password = '{{
> admin_password | password_hash('bcrypt') }}' where login = 'admin'" sonarqube tags: query
>

Hello Bala,

please make sure that you have Python's passlib installed.

I tested that with Ansible 2.9.4 and without passlib the output was literally "*0" :-(

Regards
Racke

>
> I'm successfully running the task but not able to login with the admin_password.
>

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to

> ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/1d3e8db8-01b9-4363-a3aa-67e077f35b62%40googlegroups.com

> <https://groups.google.com/d/msgid/ansible-project/1d3e8db8-01b9-4363-a3aa-67e077f35b62%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration. Provisioning with Ansible.

[Bala Mutyam]

Hi,

I manged to run the task successfully but i'm not able to login with the password to Sonarqube UI.

ansible 2.7.7

  config file = /etc/ansible/ansible.cfg

  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']

  ansible python module location = /usr/lib/python3/dist-packages/ansible

  executable location = /usr/bin/ansible

  python version = 3.7.3 (default, Dec 20 2019, 18:57:59) [GCC 8.3.0]

- name: Reset Admin pw
  become: yes
  become_user: postgres
  command: command: psql -c "update users set crypted_password = '{{ admin_password | password_hash('bcrypt', salt=None) }}' where login = 'admin'" sonarqube
  tags: query

I noticed the Ansible encrypted the password : '$2b$12$QEsYuib1i6RO6fngZP4tzuUQvJMEo7k2jA48P.dVwwT5UE2fmygM.

But it seems to be UI login only works with $2a$10$ggLrB/SKx901ctz13V1OIOu2UJzApbdfFCR5KJ6X6GbH9VNAzqglO.

Is it possible to force Anisble to encrypt the password as $2a$10$ggLrB/SKx901ctz13V1OIOu2UJzApbdfFCR5KJ6X6GbH9VNAzqglO ?

[Dick Visser]

Hi

Your hardcoded hash (the one "UI login only works") appears to use 10
rounds, while the hash generated by password_hash uses 12 (the
default).
Based on the docs at
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#interface
you should be able to configure that as an argument for password_hash,
like:

{{ admin_password | password_hash('bcrypt', salt=None, rounds=10) }}

Not sure if this will fix your problem though, but worth trying.

On a related note, you are deliberately not using a salt. That is
insecure, so if possible try to fix your workflow so that a salt is
used.
Your users will be thankful for it later.


Dick

> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e63eb9ef-eee9-4739-9f6c-3691b4aee318%40googlegroups.com.

[Bala Mutyam]

Hi,

I've tried the rounds but no luck,still not able to login to UI.

About the salt option, it's Sonarqube application which doesn't use salt.

This is the command used on Sonarqube doc - https://docs.sonarqube.org/latest/instance-administration/security/

update users set crypted_password = '$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null, hash_method='BCRYPT' where login = 'admin'

Thanks

[Dick Visser]

The hardcoded admin hash uses the 2a version of bcrypt.
It may be that your application cannot handle the newer 2b variant of
bcrypt - which ansible creates.
But this sounds unlikely.

Can you try to create a password with ansible using a salt (so leaving
the "salt=None" out) ?

Dick

> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a15d3ce8-1596-475c-bd6f-84c8a080133a%40googlegroups.com.

[Bala Mutyam]

I've deleted the salt option altogether but tit didn't work.

Yeah, it's the app which doesn't like 2b variant.

Thanks

[Dick Visser]

Ansible's password_hash doesn't support setting the 'ident' option,
but if you want to test anyway, try editing passlib itself and change:

default_ident = IDENT_2A

into:

default_ident = IDENT_2B


This should be in handlers/bcrypt.py


If that does work for you, then you might want to submit a feature
request to support this option.


Dick

> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7b48a1ab-8eb0-4bee-869e-dffaad7c231a%40googlegroups.com.

[Stefan Hornburg (Racke)]

On 3/13/20 12:38 PM, Bala Mutyam wrote:
> I've deleted the salt option altogether but tit didn't work.
>
> Yeah, it's the app which doesn't like 2b variant.
>
> Thanks

Hello Bala,

according to Wikipedia $2b$ was introduced int February 2014. On which operating system / version do you
run Sonarqube? What is your PostgreSQL version?

Regards
Racke

>
> On Thursday, March 12, 2020 at 6:12:49 PM UTC, Dick Visser wrote:
>
> The hardcoded admin hash uses the 2a version of bcrypt.
> It may be that your application cannot handle the newer 2b variant of
> bcrypt - which ansible creates.
> But this sounds unlikely.
>
> Can you try to create a password with ansible using a salt (so leaving
> the "salt=None" out) ?
>
> Dick
>

> <https://groups.google.com/d/msgid/ansible-project/1d3e8db8-01b9-4363-a3aa-67e077f35b62%40googlegroups.com>.

> >> >>>>
> >> >>>>
> >> >>>>
> >> >>>> --
> >> >>>> Dick Visser
> >> >>>> Trust & Identity Service Operations Manager
> >> >>>> GÉANT
> >> >
> >> > --
> >> > You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com.
> >> > To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/e63eb9ef-eee9-4739-9f6c-3691b4aee318%40googlegroups.com

> <https://groups.google.com/d/msgid/ansible-project/e63eb9ef-eee9-4739-9f6c-3691b4aee318%40googlegroups.com>.

> >>
> >>
> >>
> >> --
> >> Dick Visser
> >> Trust & Identity Service Operations Manager
> >> GÉANT
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com

> <javascript:>.

> > To view this discussion on the web visit

> https://groups.google.com/d/msgid/ansible-project/a15d3ce8-1596-475c-bd6f-84c8a080133a%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/a15d3ce8-1596-475c-bd6f-84c8a080133a%40googlegroups.com>.

>
>
>
> --
> Dick Visser
> Trust & Identity Service Operations Manager
> GÉANT
>
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to

> ansible-proje...@googlegroups.com <mailto:ansible-proje...@googlegroups.com>.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ansible-project/7b48a1ab-8eb0-4bee-869e-dffaad7c231a%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/7b48a1ab-8eb0-4bee-869e-dffaad7c231a%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Bala Mutyam]

Ok,thanks.

[Bala Mutyam]

OS - Debian 10

PostgreSQL -  11.7

> ansible...@googlegroups.com <mailto:ansible-project+unsub...@googlegroups.com>.

[Bala Mutyam]

I have changed the ident to 2A and it's working fine.

command: psql -c "update users set crypted_password = '{{ admin_password | password_hash('bcrypt', salt=None, rounds=10) }}' where login = 'admin'" sonarqube

Thanks

On Friday, March 13, 2020 at 11:58:44 AM UTC, Dick Visser wrote:

[Bala Mutyam]

Requested the feature - https://github.com/ansible/ansible/issues/68214