[英]module user doesn't accept encrypt password generated by ansible-vault?
最近我使用“用戶”模塊創建用戶,密碼在 vars/main.yml 中提供
- name: Create pamuser
user:
name: pamuser
password: "{{ pamuser_pass }}"
groups: wheel
append: yes
tags: pamuser
運行劇本后,它會給我這個警告
TASK [prerequisite : Create pamuser] *****************************************************************************
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
module to work properly.
然后我使用 ansible-vault encrypt_string 命令通過將明文替換為 ansible-vault 給我的保險庫密碼來僅加密特定變量"pamuser_pass"
/vars/main.yml 中的內容
---
# vars file for prerequisite role
pamuser_pass: !vault |
$ANSIBLE_VAULT;1.1;AES256
65643265346231613137396339303834396663383466636631646337303235306137386534396266
3364333534616238396465626436376561323762303139620a376630643131323133336164373237
64663332363233303032636638306566303034393137636533373332383334333439663930613232
3737
然后我刪除當前的 pamuser 並使用命令重新運行劇本
ansible-playbook playbook.yaml --tags "pamuser" --ask-pass -K --ask-vault-pass
伴隨着運行過程,還是顯示警告
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
module to work properly.
使用 id pamuser 結果似乎很好,但是一旦使用 ssh pamuser@example.com 登錄,然后輸入常規密碼,密碼就不起作用了。 我無法使用那個 pamuser 登錄。
我錯過了什么嗎?
您應該遵循此處提到的推薦方法之一來提供 hash。 這不是 ansible 中的通用庫加密。 這是特定於用戶模塊的。 以下來自文檔:
如何為用戶模塊生成加密密碼? Ansible ad-hoc 命令是最簡單的選項:
ansible all -i localhost, -m debug -a "msg={{ 'mypassword' | password_hash('sha512',
'mysecretsalt') }}"
大多數 Linux 系統上可用的 mkpasswd 實用程序也是一個不錯的選擇:
mkpasswd --method=sha-512
我已經嘗試使用推薦的方法,但它不起作用,您能建議嗎?
[user1@rhhost1 ~]$ ansible all -i localhost, -m debug -a "msg={{'hello' | password_hash('sha512','mysecretsalt')}}"
localhost | SUCCESS => {
"msg": "$6$mysecretsalt$tD6lGf9FdSWKyrGT7O/h8DvbPso3lPDhYYxjmL.tInFSxnAAkjzRfMCew/.tVPkJMrSKhToVL2KUzKB9FMGWZ1"
}
[user1@rhhost1 ~]$ ansible rhhost2* -m user -a "name=user4 state=present home=/home/user4 shell=/bin/bash password=$6$mysecretsalt$tD6lGf9FdSWKyrGT7O/h8DvbPso3lPDhYYxjmL.tInFSxnAAkjzRfMCew/.tVPkJMrSKhToVL2KUzKB9FMGWZ1" -b -K
BECOME password:
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work
properly.
rhhost2.localnet.com | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": true,
"comment": "",
"create_home": true,
"group": 1003,
"home": "/home/user4",
"name": "user4",
"password": "NOT_LOGGING_PASSWORD",
"shell": "/bin/bash",
"state": "present",
"system": false,
"uid": 1003
}
[user1@rhhost1 ~]$ ansible --version
ansible 2.9.10
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/user1/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.