Hash password filter

system · September 13, 2020, 11:40am

Hello,

SUMMARY

When I tried to apply filter on variable password, Traefik BasicAuth rejected password.

ISSUE TYPE

Bug Report

COMPONENT NAME

ANSIBLE VERSION

ansible 2.9.12
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/fred/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/fred/devops/lib/python3.6/site-packages/ansible
executable location = /home/fred/devops/bin/ansible
python version = 3.6.9 (default, Jul 17 2020, 12:50:27) [GCC 8.4.0]

CONFIGURATION

Empty

OS / ENVIRONMENT

Ubuntu 18.04
venv python3.8

STEPS TO REPRODUCE

A part of my playbook:

username_auth: admin
user_password: hello
#user_combinehash: "admin:{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00="
#user_combinehash: "admin:$$apr1$$2mYRX92I$$udcUHex5PBj4vMOVHRWiD."
user_combinehash: "{{ username_auth }}:{{ user_password | hash('md5') }}"

A part of my role task:

labels:
- "traefik.http.routers.dashboard.rule=(PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users={{ user_combinehash }}"

EXPECTED RESULTS

BasicAuth module of Traefik accept my hash password

ACTUAL RESULTS

Playbook works, but When I tried to access to traefik Dashboard, access denied, password unrecongnized.

When I use variable:
user_combinehash: "admin:{SHA}qvTGHdzF6KLavt4PO0gs2a6pQ00="
It’s works

all others did not work. But I need to have hash filter instead.

I tried with filter SHA1 and MD5

I already install python3-passlib

I’m sorry to don’t understand where is the problem,
Thanks

Dick_Visser · September 13, 2020, 12:10pm

Hi

It looks like someone told you "it needs to be hashed" and then you
applied the 'hash' filter with ansible.
But there are many subtleties when it comes to hashing, even more so
with password hashing, and yet more because applications may expect
something specific/dialect.
I have no idea what "Traefik" is - you should look at their docs,
those should tell you exactly what its expects.
However, given that you mentioned that the {SHA} style password works,
and you also mentioned "basicauth", it might be the "standard" LDAP
SHA1, so try that:

user_combinehash: "{{ username_auth }}:{{ user_password | hash('ldap_sha1') }}"

This is all part of the docs BTW
(https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html#hashing-filters).
Definitely read this:

"Hash types available depend on the master system running ansible,
‘hash’ depends on hashlib password_hash depends on passlib
(https://passlib.readthedocs.io/en/stable/lib/passlib.hash.html)."

system · September 13, 2020, 12:50pm

Thanks for your answer.

Your advice ldap_sha1 not working.

Traefik is a reverseproxy and that’s in their documentation that mentionned need SHA1 or MD5 hash.

I tried to hash password in md5 or sha in username_password variable but no more working.

Dick_Visser · September 13, 2020, 3:30pm

Looking at this:
https://github.com/ansible/ansible/issues/26322

Are you sure your config needs a simple string of a single user? It looks like it should be a list.

There are tips there on how to use bcrypt, I would try to get that to work as it’s more secure.

system · September 13, 2020, 6:43pm

Solution:

pip3 install bcrypt

And in my task:

user_combinehash: “{{ username_auth }}:{{ user_password | password_hash(‘blowfish’,‘1234567890123456789012’) | regex_replace(‘\$’, ‘$$’) }}”

Thanks again Dick!

Topic		Replies	Views
Help with securing password Ansible Project	1	0	July 28, 2018
ansible.builtin.user :: input password appears not to have been hashed Ansible Project	0	1	January 10, 2024
Variable substitution in uri module Ansible Project ubuntu	4	1	October 16, 2015
How to use variables in a Jinja2 filter? Ansible Project	1	1	October 10, 2016
Issue with password hash in user module when passing ByVal ??? Ansible Developer	0	1	September 11, 2019