If I create a password hash using the following playbook and role:
PLAYBOOK:
- hosts: localhost
tasks:
- name: Call encrypt password role
include_role:
name: encrypt_password
vars:
oracle_passwd: “{{survey_password}}”
ENCRYPT_PASSWORD ROLE:
- debug:
msg: “{{oracle_passwd}}”
- name: Encrypt oracle_passwd
set_fact:
encrypted_passwd: “{{ ‘{{oracle_passwd}}’ | password_hash(‘sha512’) }}”
- debug:
msg: “{{encrypted_passwd}}”
- name: Change passwd for ansible
become: true
user:
name: ansible
password: “{{encrypted_passwd}}”
update_password: always
state: present
and call it via the following:
ansible-playbook encrypt_password.yml -v -e oracle_passwd=Password123
I get the following as output:
PLAY [localhost] ************************************************************************************************************************************************************************************************************************************************************************************************************
TASK [Gathering Facts] ******************************************************************************************************************************************************************************************************************************************************************************************************
ok: [localhost]
TASK [Call encrypt password role] *******************************************************************************************************************************************************************************************************************************************************************************************
TASK [encrypt_password : debug] *********************************************************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => {
“msg”: “Password123”
}
TASK [encrypt_password : Encrypt oracle_passwd] *****************************************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => {“ansible_facts”: {“encrypted_passwd”: “$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/”}, “changed”: false}
TASK [encrypt_password : debug] *********************************************************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => {
“msg”: “$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/”
}
TASK [encrypt_password : Change passwd for ansible] *************************************************************************************************************************************************************************************************************************************************************************
changed: [localhost] => {“append”: false, “changed”: true, “comment”: “”, “group”: 1002, “home”: “/home/ansible”, “move_home”: false, “name”: “ansible”, “password”: “NOT_LOGGING_PASSWORD”, “shell”: “/bin/bash”, “state”: “present”, “uid”: 1001}
PLAY RECAP ******************************************************************************************************************************************************************************************************************************************************************************************************************
localhost : ok=5 changed=1 unreachable=0 failed=0
When I look in the shadow file the hash is the same as the hash returned in Encrypt oracle_passwd:
[root@a-31be403l6wu0y home]# egrep ansible /etc/shadow
ansible:$6$F1oK7CDbp3NitVZ4$jIU2nCawqECRXzjtZS0ihOh/Kf.VYPZuiziNXZTdjAw3yAIw3pbAu6OZMQbDC2iXssoyFjdlywAa.bVwLM7.3/:18148:0:99999:7:::
But the password I specified on the command line does not work when I try to login using su.
from ansible.module_utils.basic import *
import crypt
def main():
fields = {
“plain_text_passwd”: {“required”: True, “type”: “str”}
}
module = AnsibleModule(argument_spec=fields)
passwd = crypt.crypt(“(oracle_passwd)”, crypt.mksalt(crypt.METHOD_SHA512))
module.exit_json(changed=True, passwd=passwd)
if name == “main”:
main()
- name: Set encrypted_password for user module using library
encrypt_password:
plain_text_passwd: “{{ plain_text_passwd }}”
register: encrypted_passwd
no_log: True
- debug:
msg: “{{encrypted_passwd.passwd}}”
- name: Change passwd for ansible
become: true
user:
name: ansible
password: “{{ encrypted_passwd.passwd }}”
What’s goofy is if I take out the derived password hash ByVal and use a pre-derived hash from the command line in the ansible user command, it works perfectly. It also works if I shell out and make a python call and use the password hash as stdout (the same python call in the library above.)
Has anyone seen this before?