Ansible password_hash issue

Archives Ansible Project
1

Hi Everyone,

I’m trying to create a task for below command but it’s not working, can you help me how to make it work please?

Command:

update users set crypted_password = '$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null, hash_method='BCRYPT' where login = 'admin'

- name: Reset Admin pw
  become: yes
  become_user: postgres
  command: psql -c "update users set crypted_password = '{{ admin_password | password_hash('bcrypt') }}' where login = 'admin'" sonarqube
  tags: query

I’m successfully running the task but not able to login with the admin_password.

2

You manual command has more arguments than the one in your task.
Try making that consistent.

If that doesn't work, try hardcoding the hash in your task to see if
that works at all.

3

Hi,

Thanks for the reply. By hard coding the hash working fine.

I’m trying to workout something like this but this is giving me an error.

- name: Reset Admin pw
  become: yes
  become_user: postgres
  command: psql -c "update users set crypted_password = '{{ admin_password | password_hash('bcrypt', salt=None) }}' where login = 'admin'" sonarqube
  tags: query
4

What is the error and what is sending the error? (i.e. is the error from “psql” or from Ansible itself?)

Can you run the playbook with “-vvv” and paste in the errors the “Reset Admin pw” step produces.

5

Hi Everyone,

I'm trying to create a task for below command but it's not working, can you help me how to make it work please?

Command:

>update users set crypted_password = '$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null,
hash_method='BCRYPT' where login = 'admin'|

- name: Reset Admin pw become: yes become_user: postgres command: psql -c "update users set crypted_password = '{{
admin_password | password_hash('bcrypt') }}' where login = 'admin'" sonarqube tags: query

Hello Bala,

please make sure that you have Python's passlib installed.

I tested that with Ansible 2.9.4 and without passlib the output was literally "*0" :frowning:

Regards
        Racke

6

Hi,

I manged to run the task successfully but i’m not able to login with the password to Sonarqube UI.

ansible 2.7.7
config file = /etc/ansible/ansible.cfg
configured module search path = [‘/root/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 3.7.3 (default, Dec 20 2019, 18:57:59) [GCC 8.3.0]

- name: Reset Admin pw
  become: yes
  become_user: postgres
  command: command: psql -c "update users set crypted_password = '{{ admin_password | password_hash('bcrypt', salt=None) }}' where login = 'admin'" sonarqube
  tags: query

I noticed the Ansible encrypted the password : '$2b$12$QEsYuib1i6RO6fngZP4tzuUQvJMEo7k2jA48P.dVwwT5UE2fmygM.

But it seems to be UI login only works with $2a$10$ggLrB/SKx901ctz13V1OIOu2UJzApbdfFCR5KJ6X6GbH9VNAzqglO.

Is it possible to force Anisble to encrypt the password as $2a$10$ggLrB/SKx901ctz13V1OIOu2UJzApbdfFCR5KJ6X6GbH9VNAzqglO ?

7

Hi

Your hardcoded hash (the one "UI login only works") appears to use 10
rounds, while the hash generated by password_hash uses 12 (the
default).
Based on the docs at
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#interface
you should be able to configure that as an argument for password_hash,
like:

{{ admin_password | password_hash('bcrypt', salt=None, rounds=10) }}

Not sure if this will fix your problem though, but worth trying.

On a related note, you are deliberately not using a salt. That is
insecure, so if possible try to fix your workflow so that a salt is
used.
Your users will be thankful for it later.

Dick

8

Hi,

I’ve tried the rounds but no luck,still not able to login to UI.

About the salt option, it’s Sonarqube application which doesn’t use salt.

This is the command used on Sonarqube doc - https://docs.sonarqube.org/latest/instance-administration/security/

update users set crypted_password = '$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null, hash_method='BCRYPT' where login = 'admin'

Thanks

9

The hardcoded admin hash uses the 2a version of bcrypt.
It may be that your application cannot handle the newer 2b variant of
bcrypt - which ansible creates.
But this sounds unlikely.

Can you try to create a password with ansible using a salt (so leaving
the "salt=None" out) ?

Dick

10

I’ve deleted the salt option altogether but tit didn’t work.

Yeah, it’s the app which doesn’t like 2b variant.

Thanks

11

Ansible's password_hash doesn't support setting the 'ident' option,
but if you want to test anyway, try editing passlib itself and change:

default_ident = IDENT_2A

into:

default_ident = IDENT_2B

This should be in handlers/bcrypt.py

If that does work for you, then you might want to submit a feature
request to support this option.

Dick

12

I've deleted the salt option altogether but tit didn't work.

Yeah, it's the app which doesn't like 2b variant.

Thanks

Hello Bala,

according to Wikipedia $2b$ was introduced int February 2014. On which operating system / version do you
run Sonarqube? What is your PostgreSQL version?

Regards
         Racke

13

Ok,thanks.

14

OS - Debian 10
PostgreSQL - 11.7

15

I have changed the ident to 2A and it’s working fine.

command: psql -c “update users set crypted_password = ‘{{ admin_password | password_hash(‘bcrypt’, salt=None, rounds=10) }}’ where login = ‘admin’” sonarqube

Thanks

16

Requested the feature - https://github.com/ansible/ansible/issues/68214