Correct way to generate and use per host user passwords + possible regression

1,333 views

Skip to first unread message

David Strauß

unread,

Apr 8, 2016, 12:23:50 PM4/8/16

to Ansible Project

Good evening everyone, I'm looking for an automated way to create user accounts with random passwords and re-using them for the `ansible_sudo_pass` variable.

Is there an official position on how to do/accomplish this?

My current solution broke after an update from Ansible 1.9 to Ansible 2 and I struggle to make it work under Ansible 2.

For more details let me explain my solution and how it breaks with Ansible 2.

I create a new user and store its password with this task:

--- 
- name: Create user
  user: name=deployer group=deployer password={{item}} state=present
  with_password: "./passwords/my-server/users/deployer encrypt=sha256_crypt"

In a different playbook I use the previously created user and its password like this:

---
- hosts: all 
  remote_user: deployer
  vars: 
  - ansible_sudo_pass: "{{ lookup('password', './passwords/my-server/users/deployer') }}"

Creating the user creates the `./passwords/my-server/users/deployer` file containing the password and a salt. The salt comes from the `encrypted` parameter which in turn is needed by the `user` module because it requires an encrypted password. Without this parameter you will set the users password to an unknown one.

Different to the `user` module Ansible expects the `ansible_sudo_pass` variable to be in plaintext. Therefore we use the lookup method without an encrypted parameter. With Ansible  1.9 this resulted in a password file where the salt part was removed. (I assume this was not intended, but for my use case it was not a problem.)

Nonetheless this procedure worked with Ansible  1.9.

After updating to Ansible  2 my server provisioning process started to fail due to a wrong sudo password. The first thing I noticed was that the lookup function no longer removed the salt part of the password file. Secondly it seems that compared to 1.9 it now reads the entire file instead of only the password. This in turn means the `ansible_sudo_pass` also contains the salt part of the file which results in an obviously wrong password.

Thank you for reading. I appreciate any pointers and tips on how to accomplish my goal under Ansible 2.

Patrick D

unread,

Apr 12, 2016, 7:05:27 AM4/12/16

to Ansible Project

oppertunity to shameless plug my own lookup ;)
But if you convert to password-store for storing and creating passwords you could use my lookup plugin which does all this. (except for the part of reencrypting it with sha256, just file an issue)

https://github.com/morphje/ansible_pass_lookup

If you lookup a password with create=true in the lookup it will even create a new password for you. Tested with ansible 2.0

Kind regards,
Patrick Deelman

Reply all

Reply to author

Forward

0 new messages