Wondering if anyone has tried this or is ansible just intentionally designed to to allow you to do it?

Below is the normal output from creating a hash at the command line as an example of manually hashing a password.

[root@ansiblehost ~]# python -c “from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())”
Password:
$6$rounds=656000$UoSnvgI/Fm7zVWSf$TIKHXTuCECLOy2EQiyvzQpx.X4bflE8le8FmUk7OLSEuIq9HoN0xnHnOWaUFm7x2MCEZsX0/WJ6FBuBc.Nfqi0

I have tried a couple different ways in Ansible 2.8.1 trying to pull in the stdout with register: variable_name .
Turns out the variable_name data was corrupted/changed with varying numbers of asterisk and even sometimes : which the plays complained of.
Tried it directly injecting the initial password variable to pass in without using getpass and using getpass with expect scripts.
Just thought it would be nice when I went to do root password change to take the new password from an input prompt: , pass it
into a hash that could be captured in a variable to set the password in the next task without having to do the copy paste stuff.

I pasted what was of interest in the debug between the hashing task and the variable being used in the update root password task.
No combination of quoting in this case would change the results.
(different password in this case)

“warnings”: [“The value {'stderr_lines': , 'changed': True, 'end': '219-7-2 9:48:53.428542', 'stdout': '$6$rounds=656$6ZlHTWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgihkvMlkE9o9np/', 'cmd': 'python -c \\'from passlib.hash import sha512_crypt; print sha512_crypt.encrypt(\“rootletmein\”)\\'', 'rc': , 'failed': False, 'stderr': '', 'delta': '::.578785', 'stdout_lines': ['$6$rounds=656****************$6ZlHTWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgihkvMlkE9o9np/'], 'start': '219-7-2 9:48:52.849757'} (type dict) in a string field was converted to u'{\\'stderr_lines\\': [], \\'changed\\': True, \\'end\\': \\'219-7-2 9:48:53.428542\\', \\'stdout\\': \\'$6$rounds=656$6ZlHTWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgihkvMlkE9o9np/\\', \\'cmd\\': \\'python -c \\\\\\'from passlib.hash import sha512_crypt; print sha512_crypt.encrypt(\“rootletmein\”)\\\\\\'\\', \\'rc\\': , \\'failed\\': False, \\'stderr\\': \\'\\', \\'delta\\': \\'::.578785\\', \\'stdout_lines\\': [\\'$6$rounds=656****************$6ZlHTWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgihkvMlkE9o9np/\\'], \\'start\\': \\'2********19-********7-********2 ********9:48:52.849757\\'}' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change.”, “The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.”], “failed”: true, “rc”: 1

The simple ansible task

• name: Update local Linux Account Password
  user:
  name: “{{account_being_changed}}”
  update_password: always
  password: “{{new_account_crypt_pw}}”

Thanks,
Paul the nubie!

Have you tried using the password module to generate a random passwd?

https://docs.ansible.com/ansible/latest/plugins/lookup/password.html

Hello:

Wondering if anyone has tried this or is ansible just intentionally designed to to allow you to do it?

Below is the normal output from creating a hash at the command line as an example of manually hashing a password.

[root@ansiblehost ~]# python -c “from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass())”
Password:
$6$rounds=656000$UoSnvgI/Fm7zVWSf$TIKHXTuCECLOy2EQiyvzQpx.X4bflE8le8FmUk7OLSEuIq9HoN0xnHnOWaUFm7x2MCEZsX0/WJ6FBuBc.Nfqi0

I have tried a couple different ways in Ansible 2.8.1 trying to pull in the stdout with register: variable_name .
Turns out the variable_name data was corrupted/changed with varying numbers of asterisk and even sometimes : which the plays complained of.
Tried it directly injecting the initial password variable to pass in without using getpass and using getpass with expect scripts.
Just thought it would be nice when I went to do root password change to take the new password from an input prompt: , pass it
into a hash that could be captured in a variable to set the password in the next task without having to do the copy paste stuff.

I pasted what was of interest in the debug between the hashing task and the variable being used in the update root password task.
No combination of quoting in this case would change the results.
(different password in this case)

“warnings”: [“The value {'stderr_lines': , 'changed': True, 'end': '219-7-2 9:48:53.428542', 'stdout': '$6$rounds=656$6ZlHTWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgihkvMlkE9o9np/', 'cmd': 'python -c \\'from passlib.hash import sha512_crypt; print sha512_crypt.encrypt(\“rootletmein\”)\\'', 'rc': , 'failed': False, 'stderr': '', 'delta': '::.578785', 'stdout_lines': ['$6$rounds=656****************$6ZlHTWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgihkvMlkE9o9np/'], 'start': '219-7-2 9:48:52.849757'} (type dict) in a string field was converted to u'{\\'stderr_lines\\': [], \\'changed\\': True, \\'end\\': \\'219-7-2 9:48:53.428542\\', \\'stdout\\': \\'$6$rounds=656$6ZlHTWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgihkvMlkE9o9np/\\', \\'cmd\\': \\'python -c \\\\\\'from passlib.hash import sha512_crypt; print sha512_crypt.encrypt(\“rootletmein\”)\\\\\\'\\', \\'rc\\': , \\'failed\\': False, \\'stderr\\': \\'\\', \\'delta\\': \\'::.578785\\', \\'stdout_lines\\': [\\'$6$rounds=656****************$6ZlHTWZkf7a12Zr$O9tjbJfH5Tu9O6xJVft/nsrLODJjj4Nts7AIA74.Z9L1XOK7lfoEvGaJHzbAuXxD.QAzgGgihkvMlkE9o9np/\\'], \\'start\\': \\'2********19-********7-********2 ********9:48:52.849757\\'}' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change.”, “The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.”], “failed”: true, “rc”: 1

The simple ansible task

• name: Update local Linux Account Password
  user:
  name: “{{account_being_changed}}”
  update_password: always
  password: “{{new_account_crypt_pw}}”

Why don’t you use something like this?

• name: Update local Linux Account Password
  user:
  name: “{{account_being_changed}}”
  update_password: always
  password: “{{ new_account_plaintext_pw | password_hash(‘sha512’)}}”

Just make sure you define your new_account_plaintext_pw variable. Optionally, you can also use python to generate your password (if you don’t like the suggested alternative):

• name: Generar passwords
  local_action:
  module: shell /usr/local/bin/mkcryptpass.sh {{ new_account_plaintext_pw }}
  register: passwd

• name: Update local Linux Account Password
  user:
  name: “{{ account_being_changed }}”
  update_password: always
  password: “{{ passwd.stdout }}”

/usr/local/bin/mkcryptpass.sh might look like this:

#!/bin/bash
PASSWD=“$1”
salt=$(openssl rand -base64 12)

$6$ → SHA512

salt=“$6$${salt}”
python -c “import crypt; print(crypt.crypt("$PASSWD","$salt"))”

Hope that helps