Reputation: 133
Ansible password creation "The input password appears not to have been hashed"
I try to create a play that generates and sends a password for the root account for various hosts. It's supposed to be a different pw every time.
- name: Update Root password
user:
name: root
update_password: always
password: "{{ lookup( 'password', '/etc/ansible/credentials/{{ansible_hostname}} chars=ascii_letters,digits,punctuation length=21') }}"
become: true
It creates a password and creats a File containing it at the desired path.
But this warning appears:
TASK [Update Root password]
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.
changed: [host]
I can't use the password to login, becouse it's not able to send it. But how do i send the hashed password? I tried this:
- name: Update Root password
user:
name: root
update_password: always
password: "{{ lookup( 'password | password_hash('sha512')', '/etc/ansible/credentials/{{ansible_hostname}} chars=ascii_letters,digits,punctuation length=21') }}"
become: true
But this alway gives out an error:
fatal: [host]: FAILED! => {"msg": "template error while templating string: expected token ',', got 'sha512'. String: {{ lookup( 'password | password_hash('sha512')', '/etc/ansible/credentials/{{ansible_hostname}} chars=ascii_letters,digits,punctuation length=21') }}"}
I am not sure if it is done this way, but i didn't find anything online.
Also I am not sure if this gets me the result I hope for. Because the Password in the /ansible/credentials/hostname file should still be readable. These password are for local login, in case the server can't be reached via SSH (where we use Key authentication). So it would be useless if the passwords in the files would be hashed, as this would be to lang to manually enter. Thanks for every awnser!
Upvotes: 6
Views: 8649
Answers (1)
Reputation: 133
OK so i did following:
I added a variable to the vars.yml file
root_pass: "{{ lookup( 'password', '/etc/ansible/credentials/{{ansible_hostname}} chars=ascii_letters,digits,punctuation length=21') }}"
Now I can hash the pw in the play:
tasks:
- name: Update Root user's Password
user:
name: root
update_password: always
password: "{{root_pass | password_hash('sha512')}}"
Upvotes: 5
Related Questions
- Ansible become_user asks for password even though it is configured passwordless
- Ansible password_hash with variable
- Ansible - run playbook by providing sudo hash password
- Getting error when changing Ansible password
- Can't assign password to user with ansible user module
- Ansible hash password not working
- ansible created password for a user does not work for ssh sessions
- Ansible: How to set password for a user? Having trouble encrypting the password
- Why Ansible ignores ansible_become_password variable?
- Missing become password in ansible playbook