模块用户不接受 ansible-vault 生成的加密密码？

Question

Recently I used 'user' module to create user with password provided in vars/main.yml

- name: Create pamuser
  user:
    name: pamuser
    password: "{{ pamuser_pass }}"
    groups: wheel
    append: yes
  tags: pamuser

Once run a playbook, it gives me this warning

TASK [prerequisite : Create pamuser] *****************************************************************************
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
module to work properly.

Then I use ansible-vault encrypt_string command to encrypt only the specific variable "pamuser_pass" by replace plaintext with vault password that ansible-vault gave me

contents in /vars/main.yml

---
# vars file for prerequisite role
pamuser_pass: !vault |
              $ANSIBLE_VAULT;1.1;AES256
              65643265346231613137396339303834396663383466636631646337303235306137386534396266
              3364333534616238396465626436376561323762303139620a376630643131323133336164373237
              64663332363233303032636638306566303034393137636533373332383334333439663930613232
              3737

then I remove current pamuser and re-run the playbook with command

ansible-playbook playbook.yaml --tags "pamuser" --ask-pass -K --ask-vault-pass

Along with the running process, it still shows the warning

[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
    module to work properly.

the outcome seem fine with id pamuser but once logging in with ssh pamuser@example.com then put the regular password, the password doesn't work. I can't login with that pamuser.

Is there something that I missed?

Answer 1

You should be following one of the recommended ways mentioned here to provide the hash. It's not the general vault encryption in ansible. This is specific to the user module. Below is from the doc:

How do I generate encrypted passwords for the user module? Ansible ad-hoc command is the easiest option:

    ansible all -i localhost, -m debug -a "msg={{ 'mypassword' | password_hash('sha512',
  'mysecretsalt') }}"

The mkpasswd utility that is available on most Linux systems is also a great option:

mkpasswd --method=sha-512

Answer 2

I have tried using the recommended ways and it is not working, could you please advise?

[user1@rhhost1 ~]$ ansible all -i localhost, -m debug -a "msg={{'hello' | password_hash('sha512','mysecretsalt')}}"
    localhost | SUCCESS => {
        "msg": "$6$mysecretsalt$tD6lGf9FdSWKyrGT7O/h8DvbPso3lPDhYYxjmL.tInFSxnAAkjzRfMCew/.tVPkJMrSKhToVL2KUzKB9FMGWZ1"
    }

[user1@rhhost1 ~]$ ansible rhhost2* -m user -a "name=user4 state=present home=/home/user4 shell=/bin/bash password=$6$mysecretsalt$tD6lGf9FdSWKyrGT7O/h8DvbPso3lPDhYYxjmL.tInFSxnAAkjzRfMCew/.tVPkJMrSKhToVL2KUzKB9FMGWZ1" -b -K
    BECOME password:
    [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work
    properly.
    rhhost2.localnet.com | CHANGED => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/libexec/platform-python"
        },
        "changed": true,
        "comment": "",
        "create_home": true,
        "group": 1003,
        "home": "/home/user4",
        "name": "user4",
        "password": "NOT_LOGGING_PASSWORD",
        "shell": "/bin/bash",
        "state": "present",
        "system": false,
        "uid": 1003
    }

[user1@rhhost1 ~]$ ansible --version
    ansible 2.9.10
      config file = /etc/ansible/ansible.cfg
      configured module search path = ['/home/user1/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
      ansible python module location = /usr/lib/python3.6/site-packages/ansible
      executable location = /usr/bin/ansible
      python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]