I need to manage a password file with encrypted passwords in a style similar to htpasswd files. The files are read by libpam-pwdfile, which allows pam authentication against arbitrary passwd-style files.
This could be managed by ansible’s htpasswd module, except the list of password hashes used by libpam-pwdfile and apache are different. The only overlap between the lists is DES passwords (which is a weak hash,) none of the stronger password hashed are common to both.
Would we perhaps want to enable this without adding any extra flags to enable it?
Not sure if that’s possible from reading the above, but if so, it seems preferable.
My PR adds the extra option, to select a custom list of hashes.
It would be possible to make a different change that suited my needs (and probably many others’) without adding the extra option, but with reduced functionality compared to the PR I’ve already done.
In that case, the crypt_scheme option could be extended to accept any hash supported by the underlying library (around 50 hashes) rather than the 4 currently supported. The module could then build a list of supported hashes including the one requested and the default 4 apache ones.
You wouldn’t then be able to specify an arbitrary list of hashes to be supported in a particular password file, but that may not be a problem for most use cases.
Should I do a PR for that option too?
Cheers,
Alex