模塊用戶不接受 ansible-vault 生成的加密密碼？

Question

最近我使用“用戶”模塊創建用戶，密碼在 vars/main.yml 中提供

- name: Create pamuser
  user:
    name: pamuser
    password: "{{ pamuser_pass }}"
    groups: wheel
    append: yes
  tags: pamuser

運行劇本后，它會給我這個警告

TASK [prerequisite : Create pamuser] *****************************************************************************
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
module to work properly.

然后我使用 ansible-vault encrypt_string 命令通過將明文替換為 ansible-vault 給我的保險庫密碼來僅加密特定變量"pamuser_pass"

/vars/main.yml 中的內容

---
# vars file for prerequisite role
pamuser_pass: !vault |
              $ANSIBLE_VAULT;1.1;AES256
              65643265346231613137396339303834396663383466636631646337303235306137386534396266
              3364333534616238396465626436376561323762303139620a376630643131323133336164373237
              64663332363233303032636638306566303034393137636533373332383334333439663930613232
              3737

然后我刪除當前的 pamuser 並使用命令重新運行劇本

ansible-playbook playbook.yaml --tags "pamuser" --ask-pass -K --ask-vault-pass

伴隨着運行過程，還是顯示警告

[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
    module to work properly.

使用 id pamuser 結果似乎很好，但是一旦使用 ssh pamuser@example.com 登錄，然后輸入常規密碼，密碼就不起作用了。 我無法使用那個 pamuser 登錄。

我錯過了什么嗎？

Answer 1

您應該遵循此處提到的推薦方法之一來提供 hash。 這不是 ansible 中的通用庫加密。 這是特定於用戶模塊的。 以下來自文檔：

如何為用戶模塊生成加密密碼？ Ansible ad-hoc 命令是最簡單的選項：

    ansible all -i localhost, -m debug -a "msg={{ 'mypassword' | password_hash('sha512',
  'mysecretsalt') }}"

大多數 Linux 系統上可用的 mkpasswd 實用程序也是一個不錯的選擇：

mkpasswd --method=sha-512

Answer 2

我已經嘗試使用推薦的方法，但它不起作用，您能建議嗎？

[user1@rhhost1 ~]$ ansible all -i localhost, -m debug -a "msg={{'hello' | password_hash('sha512','mysecretsalt')}}"
    localhost | SUCCESS => {
        "msg": "$6$mysecretsalt$tD6lGf9FdSWKyrGT7O/h8DvbPso3lPDhYYxjmL.tInFSxnAAkjzRfMCew/.tVPkJMrSKhToVL2KUzKB9FMGWZ1"
    }

[user1@rhhost1 ~]$ ansible rhhost2* -m user -a "name=user4 state=present home=/home/user4 shell=/bin/bash password=$6$mysecretsalt$tD6lGf9FdSWKyrGT7O/h8DvbPso3lPDhYYxjmL.tInFSxnAAkjzRfMCew/.tVPkJMrSKhToVL2KUzKB9FMGWZ1" -b -K
    BECOME password:
    [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work
    properly.
    rhhost2.localnet.com | CHANGED => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/libexec/platform-python"
        },
        "changed": true,
        "comment": "",
        "create_home": true,
        "group": 1003,
        "home": "/home/user4",
        "name": "user4",
        "password": "NOT_LOGGING_PASSWORD",
        "shell": "/bin/bash",
        "state": "present",
        "system": false,
        "uid": 1003
    }

[user1@rhhost1 ~]$ ansible --version
    ansible 2.9.10
      config file = /etc/ansible/ansible.cfg
      configured module search path = ['/home/user1/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
      ansible python module location = /usr/lib/python3.6/site-packages/ansible
      executable location = /usr/bin/ansible
      python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]