I wrote a playbook to change root password on a host.
I create a password by pwgen, then get hash by mkpasswd and this hash is used as ‘password’ for root
After changing I can’t log in by root, but if I write the same hash in /etc/shadow by myself or change the password by passwd I can log in with no problems
What could be wrong?
Ubuntu 22.04
Hi,
Could you share your playbook as well ? I’d especially like to see how you pass your password hash to user module’s password param.
Hi, here’s the code from bash script
pwgen -s -r "OoLlIi0" 20 1 > {$firstname}creds.txt
mkpasswd --method=yescrypt 'echo "{$firstname}creds.txt"' > passhash
read passhash <"passhash"
echo "host ansible_host=$host ansible_user=$usr ansible_sudo_pass=$pass username=$firstname hostname=$hostname passhash=$passhash" > $PWD/ansible/inventory
Ansible task:
- name: Changing root password
user:
name: root
password: "{{ passhash }}"
update_password: always
I won’t question your bash script as you said the pass hash works if you edit /etc/shadow manually, though there still could be an EOL / EOF issue like a trailing CR or newline (on that note, you should probably use echo -n flag when reading your creds file to remove a potential newline).
I see you defined you var ‘passhash’ in your inventory, but I don’t know for sure you’re either using this inventory file when you call your playbook, or if you target the correct host in your play. So just to be sure, could you run this command and confirm you see your var’s value (also with no trailing \n): ansible -i <yourInventoryFilePath> -m debug -a "var=passhash"