'Ansible password creation "The input password appears not to have been hashed"
I try to create a play that generates and sends a password for the root account for various hosts. It's supposed to be a different pw every time.
- name: Update Root password
user:
name: root
update_password: always
password: "{{ lookup( 'password', '/etc/ansible/credentials/{{ansible_hostname}} chars=ascii_letters,digits,punctuation length=21') }}"
become: true
It creates a password and creats a File containing it at the desired path.
But this warning appears:
TASK [Update Root password]
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.
changed: [host]
I can't use the password to login, becouse it's not able to send it. But how do i send the hashed password? I tried this:
- name: Update Root password
user:
name: root
update_password: always
password: "{{ lookup( 'password | password_hash('sha512')', '/etc/ansible/credentials/{{ansible_hostname}} chars=ascii_letters,digits,punctuation length=21') }}"
become: true
But this alway gives out an error:
fatal: [host]: FAILED! => {"msg": "template error while templating string: expected token ',', got 'sha512'. String: {{ lookup( 'password | password_hash('sha512')', '/etc/ansible/credentials/{{ansible_hostname}} chars=ascii_letters,digits,punctuation length=21') }}"}
I am not sure if it is done this way, but i didn't find anything online.
Also I am not sure if this gets me the result I hope for. Because the Password in the /ansible/credentials/hostname file should still be readable. These password are for local login, in case the server can't be reached via SSH (where we use Key authentication). So it would be useless if the passwords in the files would be hashed, as this would be to lang to manually enter. Thanks for every awnser!
Solution 1:[1]
OK so i did following:
I added a variable to the vars.yml file
root_pass: "{{ lookup( 'password', '/etc/ansible/credentials/{{ansible_hostname}} chars=ascii_letters,digits,punctuation length=21') }}"
Now I can hash the pw in the play:
tasks:
- name: Update Root user's Password
user:
name: root
update_password: always
password: "{{root_pass | password_hash('sha512')}}"
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | rothkraut |