Anyone successfully use python to generate a password hash and pass it into a usable variable in a playbook?
668 views
Skip to first unread message
Paul Shulz
Jul 2, 2019, 10:36:26 PM7/2/19
to Ansible Project
Wondering if anyone has tried this or is ansible just intentionally designed to to allow you to do it?
Below is the normal output from creating a hash at the command line as an example of manually hashing a password.
[root@ansiblehost ~]# python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())"
Password:
$6$rounds=656000$UoSnvgI/Fm7zVWSf$TIKHXTuCECLOy2EQiyvzQpx.X4bflE8le8FmUk7OLSEuIq9HoN0xnHnOWaUFm7x2MCEZsX0/WJ6FBuBc.Nfqi0
I have tried a couple different ways in Ansible 2.8.1 trying to pull in the stdout with register: variable_name .
Turns out the variable_name data was corrupted/changed with varying numbers of asterisk and even sometimes : which the plays complained of.
Tried it directly injecting the initial password variable to pass in without using getpass and using getpass with expect scripts.
Just thought it would be nice when I went to do root password change to take the new password from an input prompt: , pass it
into a hash that could be captured in a variable to set the password in the next task without having to do the copy paste stuff.
I pasted what was of interest in the debug between the hashing task and the variable being used in the update root password task.
No combination of quoting in this case would change the results.
(different password in this case)
"warnings": ["The value {\'stderr_lines\': [], \'changed\': True, \'end\': \'2********19-********7-********2 ********9:48:53.428542\', \'stdout\': \'$6$rounds=656************************$6ZlH********TWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgih********kvMlkE9o9np/\', \'cmd\': \'python -c \\\\\'from passlib.hash import sha512_crypt; print sha512_crypt.encrypt(\\"rootletmein\\")\\\\\'\', \'rc\': ********, \'failed\': False, \'stderr\': \'\', \'delta\': \'********:****************:****************.578785\', \'stdout_lines\': [\'$6$rounds=656************************$6ZlH********TWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgih********kvMlkE9o9np/\'], \'start\': \'2********19-********7-********2 ********9:48:52.849757\'} (type dict) in a string field was converted to u\'{\\\\\'stderr_lines\\\\\': [], \\\\\'changed\\\\\': True, \\\\\'end\\\\\': \\\\\'2********19-********7-********2 ********9:48:53.428542\\\\\', \\\\\'stdout\\\\\': \\\\\'$6$rounds=656************************$6ZlH********TWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgih********kvMlkE9o9np/\\\\\', \\\\\'cmd\\\\\': \\\\\'python -c \\\\\\\\\\\\\'from passlib.hash import sha512_crypt; print sha512_crypt.encrypt(\\"rootletmein\\")\\\\\\\\\\\\\'\\\\\', \\\\\'rc\\\\\': ********, \\\\\'failed\\\\\': False, \\\\\'stderr\\\\\': \\\\\'\\\\\', \\\\\'delta\\\\\': \\\\\'********:****************:****************.578785\\\\\', \\\\\'stdout_lines\\\\\': [\\\\\'$6$rounds=656************************$6ZlH********TWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgih********kvMlkE9o9np/\\\\\'], \\\\\'start\\\\\': \\\\\'2********19-********7-********2 ********9:48:52.849757\\\\\'}\' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change.", "The input password appears not to have been hashed. The \'password\' argument must be encrypted for this module to work properly."], "failed": true, "rc": 1
The simple ansible task
- name: Update local Linux Account Password
user:
name: "{{account_being_changed}}"
update_password: always
password: "{{new_account_crypt_pw}}"
Thanks,
Paul the nubie!
Tony Chia
Jul 3, 2019, 2:28:03 PM7/3/19
to Ansible Project
Have you tried using the password module to generate a random passwd?
Angel Rengifo Cancino
Jul 4, 2019, 9:02:51 PM7/4/19
to ansible...@googlegroups.com
Hello:
Why don't you use something like this?
- name: Update local Linux Account Password
user:
name: "{{account_being_changed}}"
update_password: always
password: "{{ new_account_plaintext_pw | password_hash('sha512')}}"
Just make sure you define your new_account_plaintext_pw variable. Optionally, you can also use python to generate your password (if you don't like the suggested alternative):
- name: Generar passwords
local_action:
module: shell /usr/local/bin/mkcryptpass.sh {{ new_account_plaintext_pw }}
register: passwd
local_action:
module: shell /usr/local/bin/mkcryptpass.sh {{ new_account_plaintext_pw }}
register: passwd
- name: Update local Linux Account Password
user:
name: "{{ account_being_changed }}"
update_password: always
password: "{{ passwd.stdout }}"
/usr/local/bin/mkcryptpass.sh might look like this:
#!/bin/bash
PASSWD="$1"
salt=$(openssl rand -base64 12)
# $6$ --> SHA512
salt="\$6\$${salt}"
python -c "import crypt; print(crypt.crypt(\"$PASSWD\",\"$salt\"))"
PASSWD="$1"
salt=$(openssl rand -base64 12)
# $6$ --> SHA512
salt="\$6\$${salt}"
python -c "import crypt; print(crypt.crypt(\"$PASSWD\",\"$salt\"))"
Hope that helps
Reply all
Reply to author
Forward
0 new messages