Hash password filter
63 views
Skip to first unread message
Fred
Sep 13, 2020, 7:40:43 AM9/13/20
to Ansible Project
Hello,
##### SUMMARY
When I tried to apply filter on variable password, Traefik BasicAuth rejected password.
##### ISSUE TYPE
- Bug Report
##### COMPONENT NAME
##### ANSIBLE VERSION
```
ansible 2.9.12
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/fred/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/fred/devops/lib/python3.6/site-packages/ansible
executable location = /home/fred/devops/bin/ansible
python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]
```
##### CONFIGURATION
<!--- Paste verbatim output from "ansible-config dump --only-changed" between quotes -->
```
Empty
```
##### OS / ENVIRONMENT
Ubuntu 18.04
venv python3.8
##### STEPS TO REPRODUCE
A part of my playbook:
```
username_auth: admin
user_password: hello
#user_combinehash: "admin:{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00="
#user_combinehash: "admin:$$apr1$$2mYRX92I$$udcUHex5PBj4vMOVHRWiD."
user_combinehash: "{{ username_auth }}:{{ user_password | hash('md5') }}"
```
A part of my role task:
```
labels:
- "traefik.http.routers.dashboard.rule=(PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users={{ user_combinehash }}"
```
##### EXPECTED RESULTS
BasicAuth module of Traefik accept my hash password
##### ACTUAL RESULTS
Playbook works, but When I tried to access to traefik Dashboard, access denied, password unrecongnized.
When I use variable:
`user_combinehash: "admin:{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00="`
It's works
all others did not work. But I need to have hash filter instead.
I tried with filter SHA1 and MD5
I already install python3-passlib
I'm sorry to don't understand where is the problem,
Thanks
Dick Visser
Sep 13, 2020, 8:10:43 AM9/13/20
to ansible...@googlegroups.com
Hi
It looks like someone told you "it needs to be hashed" and then you
applied the 'hash' filter with ansible.
But there are many subtleties when it comes to hashing, even more so
with password hashing, and yet more because applications may expect
something specific/dialect.
I have no idea what "Traefik" is - you should look at their docs,
those should tell you exactly what its expects.
However, given that you mentioned that the {SHA} style password works,
and you also mentioned "basicauth", it might be the "standard" LDAP
SHA1, so try that:
user_combinehash: "{{ username_auth }}:{{ user_password | hash('ldap_sha1') }}"
This is all part of the docs BTW
(https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#hashing-filters).
Definitely read this:
"Hash types available depend on the master system running ansible,
‘hash’ depends on hashlib password_hash depends on passlib
(https://passlib.readthedocs.io/en/stable/lib/passlib.hash.html)."
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8aa5c24d-6dad-4222-8506-c8fa829b4a70n%40googlegroups.com.
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
It looks like someone told you "it needs to be hashed" and then you
applied the 'hash' filter with ansible.
But there are many subtleties when it comes to hashing, even more so
with password hashing, and yet more because applications may expect
something specific/dialect.
I have no idea what "Traefik" is - you should look at their docs,
those should tell you exactly what its expects.
However, given that you mentioned that the {SHA} style password works,
and you also mentioned "basicauth", it might be the "standard" LDAP
SHA1, so try that:
user_combinehash: "{{ username_auth }}:{{ user_password | hash('ldap_sha1') }}"
This is all part of the docs BTW
(https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#hashing-filters).
Definitely read this:
"Hash types available depend on the master system running ansible,
‘hash’ depends on hashlib password_hash depends on passlib
(https://passlib.readthedocs.io/en/stable/lib/passlib.hash.html)."
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8aa5c24d-6dad-4222-8506-c8fa829b4a70n%40googlegroups.com.
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
Fred
Sep 13, 2020, 8:50:52 AM9/13/20
to Ansible Project
Thanks for your answer.
Your advice ldap_sha1 not working.
Traefik is a reverseproxy and that's in their documentation that mentionned need SHA1 or MD5 hash.
I tried to hash password in md5 or sha in username_password variable but no more working.
Dick Visser
Sep 13, 2020, 11:30:48 AM9/13/20
to ansible...@googlegroups.com
Looking at this:
Are you sure your config needs a simple string of a single user? It looks like it should be a list.
There are tips there on how to use bcrypt, I would try to get that to work as it's more secure.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b1bdfe25-51ce-47e0-bfea-417ce5816826n%40googlegroups.com.
Sent from a mobile device - please excuse the brevity, spelling and punctuation.
Fred
Sep 13, 2020, 2:43:08 PM9/13/20
to Ansible Project
Solution:
pip3 install bcrypt
And in my task:
user_combinehash: "{{ username_auth }}:{{ user_password | password_hash('blowfish','1234567890123456789012') | regex_replace('\\$', '$$') }}"
Reply all
Reply to author
Forward
0 new messages