postgres_user: crypted password not working
712 views
Skip to first unread message
r144
Oct 27, 2015, 5:58:53 AM10/27/15
to Ansible Project
hello group,
I have a set of tasks to create a postgres database and user.
The strange thing is, that although it works, the supplied password is never taken as encrypted.
So if I do
- name: creeer gebruiker {{dbuser}} voor de database
sudo: yes
sudo_user: postgres
postgresql_user:
name: "{{dbuser}}"
db: "{{dbuser}}"
password: mango
role_attr_flags: CREATEDB
state: present
I get a user that can login with password mango. However, if I crypt mango with either
mkpassword --method=MD5
or
echo "md5`echo -n "mango" | md5sum`"
(from the ansible postgresql_user documentation, with md5 replaced by md5sum- ubuntu does not have a md5 command)
and change the task to pass the crypted password
- name: creeer gebruiker {{dbuser}} voor de database
sudo: yes
sudo_user: postgres
when: not rollback
postgresql_user:
name: "{{dbuser}}"
db: "{{dbuser}}"
password: $1$m8gRylOU$2x0qxe/RzmYFlSY93WBHT1
encrypted: true
role_attr_flags: CREATEDB
state: present
I get a user that can only login with password $1$m8gRylOU$2x0qxe/RzmYFlSY93WBHT1 and NOT with password mango. It seems postgresql_user is not communicating this well with postgres.
Does anyone know how I can workaround this?
thanks for your help! Ruud
I have a set of tasks to create a postgres database and user.
The strange thing is, that although it works, the supplied password is never taken as encrypted.
So if I do
- name: creeer gebruiker {{dbuser}} voor de database
sudo: yes
sudo_user: postgres
postgresql_user:
name: "{{dbuser}}"
db: "{{dbuser}}"
password: mango
role_attr_flags: CREATEDB
state: present
I get a user that can login with password mango. However, if I crypt mango with either
mkpassword --method=MD5
or
echo "md5`echo -n "mango" | md5sum`"
(from the ansible postgresql_user documentation, with md5 replaced by md5sum- ubuntu does not have a md5 command)
and change the task to pass the crypted password
- name: creeer gebruiker {{dbuser}} voor de database
sudo: yes
sudo_user: postgres
when: not rollback
postgresql_user:
name: "{{dbuser}}"
db: "{{dbuser}}"
password: $1$m8gRylOU$2x0qxe/RzmYFlSY93WBHT1
encrypted: true
role_attr_flags: CREATEDB
state: present
I get a user that can only login with password $1$m8gRylOU$2x0qxe/RzmYFlSY93WBHT1 and NOT with password mango. It seems postgresql_user is not communicating this well with postgres.
Does anyone know how I can workaround this?
thanks for your help! Ruud
r144
Oct 27, 2015, 6:01:10 AM10/27/15
to Ansible Project
By the way:
I use ansible 1.7.2 on a debian host, ubuntu target.
I use ansible 1.7.2 on a debian host, ubuntu target.
r144
Oct 27, 2015, 6:20:23 AM10/27/15
to Ansible Project
hello,
I was not completely correct in my first post. When I supply a password that is encrypted with
echo "md5`echo -n "mango" | md5sum`"
I get as output the string "md5aa00faf97d042c13a59da4d27eb32358 -"
If I put this string in the task, I only can login with that string as password. However, when I supply that password, but without the trailing " -", then I can neither login with md5aa00faf97d042c13a59da4d27eb32358 or mango, although the user is created.
I am stuck now. Any ideas?
Ru
If I put this string in the task, I only can login with that string as password. However, when I supply that password, but without the trailing " -", then I can neither login with md5aa00faf97d042c13a59da4d27eb32358 or mango, although the user is created.
I am stuck now. Any ideas?
Ru
Nigel Metheringham
Oct 27, 2015, 7:24:34 AM10/27/15
to ansible...@googlegroups.com
The md5 command is not the
same as the md5sum command - as you have found by experiment - since
the md5sum command also outputs the name of the file it has just
checked.
Additionally if you look at the info in the ansible postgres_user you will see that the encrypted password hash needs the user name in there as well as a salt.
However you would save yourself a lot of pain if you put the credentials into an ansible vault and then passed them to the commands in a normal (ie not hashed) form, but use the encrypted flag so that they are stored hashed within the database.
Nigel.
Additionally if you look at the info in the ansible postgres_user you will see that the encrypted password hash needs the user name in there as well as a salt.
However you would save yourself a lot of pain if you put the credentials into an ansible vault and then passed them to the commands in a normal (ie not hashed) form, but use the encrypted flag so that they are stored hashed within the database.
Nigel.
27 October 2015 at 10:20
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8f71d26a-5958-41a8-899d-6d24a03e529a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
27 October 2015 at 10:01
By the way:
I use ansible 1.7.2 on a debian host, ubuntu target.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/fa27722c-c765-43f9-b57c-f1eb57024360%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
27 October 2015 at 09:58
hello group,
I have a set of tasks to create a postgres database and user.
The strange thing is, that although it works, the supplied password is never taken as encrypted.
So if I do
- name: creeer gebruiker {{dbuser}} voor de database
sudo: yes
sudo_user: postgres
postgresql_user:
name: "{{dbuser}}"
db: "{{dbuser}}"
password: mango
role_attr_flags: CREATEDB
state: present
I get a user that can login with password mango. However, if I crypt mango with either
mkpassword --method=MD5
or
echo "md5`echo -n "mango" | md5sum`"
(from the ansible postgresql_user documentation, with md5 replaced by md5sum- ubuntu does not have a md5 command)
and change the task to pass the crypted password
- name: creeer gebruiker {{dbuser}} voor de database
sudo: yes
sudo_user: postgres
when: not rollback
postgresql_user:
name: "{{dbuser}}"
db: "{{dbuser}}"
password: $1$m8gRylOU$2x0qxe/RzmYFlSY93WBHT1
encrypted: true
role_attr_flags: CREATEDB
state: present
I get a user that can only login with password $1$m8gRylOU$2x0qxe/RzmYFlSY93WBHT1 and NOT with password mango. It seems postgresql_user is not communicating this well with postgres.
Does anyone know how I can workaround this?
thanks for your help! Ruud
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9eb25e1d-fa44-4c41-8da8-fcd0d92cdb7b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
[ Nigel Metheringham ------------------------------ ni...@dotdot.it ] [ Ellipsis Intangible Technologies ]
r144
Oct 27, 2015, 7:48:58 AM10/27/15
to Ansible Project
On Tuesday, October 27, 2015 at 12:24:34 PM UTC+1, nigelm wrote:
The md5 command is not the same as the md5sum command - as you have found by experiment - since the md5sum command also outputs the name of the file it has just checked.
Additionally if you look at the info in the ansible postgres_user you will see that the encrypted password hash needs the user name in there as well as a salt.
Hi NIgel,
thanks for your help. I was really having a blind spot when reading the docs. You are right: the username was missing when generating the password. When I added that one, I got a user with the expected password.
The md5sum command can be used, when the file name is trimmed from the output.
And I don't see how the salt fits in. I have not specified a salt and it is working all the same.
Again: thank you for helping me out. I already spent too much time of living on this issue.... ;)
Ruud
r144
Oct 27, 2015, 8:46:54 AM10/27/15
to Ansible Project
hello,
I was not completely correct in my first post. When I supply a password that is encrypted with
echo "md5`echo -n "mango" | md5sum`"
I get as output the string "md5aa00faf97d042c13a59da4d27eb32358 -"
If I put this string in the task, I only can login with that string as password. However, when I supply that password, but without the trailing " -", then I can neither login with md5aa00faf97d042c13a59da4d27eb32358 or mango, although the user is created.
I am stuck now. Any ideas?
If I put this string in the task, I only can login with that string as password. However, when I supply that password, but without the trailing " -", then I can neither login with md5aa00faf97d042c13a59da4d27eb32358 or mango, although the user is created.
I am stuck now. Any ideas?
Ruud
Reply all
Reply to author
Forward
0 new messages