I’m now looking at the user module and struggling with the use of encrypted passwords…
Not that we can’t store encrypted passwords, just the way that Linux and AIX store encrypted passwords are different.
Running ‘openssl passwd -salt saltsalt -1 password’ gives me the following string
$1$saltsalt$qjXMvbEw8oaL.CzflDtaK/
Linux will use this string as it stands as the encrypted password, AIX uses a slightly different format for MD5 passwords
{smd5}saltsalt$qjXMvbEw8oaL.CzflDtaK/
Given that I have a mix of AIX and Linux hosts to deal with what would be a better way of dealing with the creation of local accounts for the system administrators?
Modify the user module to accept Linux format encrpyted passwords and then change them to the appropriate AIX format (this could work for $1$, $2a$, $5$ and $6$)
Store the passwords and salts without the headers and add the appropriate header using variables (I’m thinking something like {{ os_password_header }}{{ headerless_password }}. This would assume a single password hash type for all passwords)
Store passwords in their native formats for each OS (becomes much bulkier in the variables files but will work)
Personally I like 2) for simplicity (No changes to Ansible required), but can see a minor advantage to 1). 3) seems to be the least elegant method.
What are other peoples thoughts?
Adam
p.s. wait until I start trying to get this to work on our few Solaris, HP-UX and I5-OS servers… particularly the latter.
Not sure I’m going to answer your question but I’d recommend that you use the highest level of password encryption your version of unix supports. On modern Linux boxes this is SHA512. I’m not sure about AIX. I don’t believe openssl passwd allows you to generate SHA512 encrypted passwords. I use the python library passlib [1] for this. Easy enough to do:
from passlib.hash import sha512_crypt
hash = sha512_crypt.encrypt(password, rounds=5000)
print hash
You can easily generate the correct format for AIX too.
Thanks Romeo, AIX can handle SMD5, SHA-256 and SHA-512… (plus blowfish on the server I checked). so I could say that we should use SHA-512 going forward. That still leaves me with the question as to how I handle them… Do I store an AIX password and a Linux password for every user, do I munge the passwords when I use them, or do I add a potentially ugly hack to Ansible that would take care of the issue?
I’m leaning towards the second option myself… It’s not entirely clean, but it does seem like a reasonable way to go.
If like you suggested AIX passwords just have something prepended to them
I'd just store one SHA512 password and interpolate the needed prefix on the
AIX boxes.
The solution I went with is not perfect, but pretty good… My localaccounts task has two main user tasks in it (they take lists of users and are identical apart from one aspect). The lists are provided with Linux style password hashes.
The first section runs only on Linux hosts and takes the hash as is.
The second one runs only on aix and replaces password={{item.password}} with password={{item.password | replace(“$1$”, “{smd5}”) | replace(“$5$”, “{ssha256}”) | replace(“$6$”, “{ssha512}”) }}
This replaces the linux style encryption identifier $[1|5|6]$ with the AIX equivalent {s[md5|sha256|sha512]}