1

最近我使用“用户”模块创建用户,密码在 vars/main.yml 中提供

- name: Create pamuser
  user:
    name: pamuser
    password: "{{ pamuser_pass }}"
    groups: wheel
    append: yes
  tags: pamuser

一旦运行剧本,它就会给我这个警告

TASK [prerequisite : Create pamuser] *****************************************************************************
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
module to work properly.

然后我使用 ansible-vault encrypt_string 命令"pamuser_pass"通过将明文替换为 ansible-vault 给我的保险库密码来仅加密特定变量

/vars/main.yml 中的内容

---
# vars file for prerequisite role
pamuser_pass: !vault |
              $ANSIBLE_VAULT;1.1;AES256
              65643265346231613137396339303834396663383466636631646337303235306137386534396266
              3364333534616238396465626436376561323762303139620a376630643131323133336164373237
              64663332363233303032636638306566303034393137636533373332383334333439663930613232
              3737

然后我删除当前的pamuser并使用命令重新运行剧本

ansible-playbook playbook.yaml --tags "pamuser" --ask-pass -K --ask-vault-pass

随着正在运行的进程,它仍然显示警告

[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
    module to work properly.

id pamuser 的结果似乎很好,但是一旦使用 ssh pamuser@example.com 登录然后输入常规密码,密码就不起作用了。我不能用那个pamuser登录。

有什么我错过的吗?

4

2 回答 2

2

您应该遵循 此处提到的推荐方法之一来提供哈希。这不是 ansible 中的通用保险库加密。这是特定于用户模块的。以下来自文档:

如何为用户模块生成加密密码?Ansible ad-hoc 命令是最简单的选择:

    ansible all -i localhost, -m debug -a "msg={{ 'mypassword' | password_hash('sha512',
  'mysecretsalt') }}"

大多数 Linux 系统上可用的 mkpasswd 实用程序也是一个不错的选择:

mkpasswd --method=sha-512
于 2020-05-07T19:03:52.687 回答
0

我已经尝试使用推荐的方法,但它不起作用,您能建议吗?

[user1@rhhost1 ~]$ ansible all -i localhost, -m debug -a "msg={{'hello' | password_hash('sha512','mysecretsalt')}}"
    localhost | SUCCESS => {
        "msg": "$6$mysecretsalt$tD6lGf9FdSWKyrGT7O/h8DvbPso3lPDhYYxjmL.tInFSxnAAkjzRfMCew/.tVPkJMrSKhToVL2KUzKB9FMGWZ1"
    }

[user1@rhhost1 ~]$ ansible rhhost2* -m user -a "name=user4 state=present home=/home/user4 shell=/bin/bash password=$6$mysecretsalt$tD6lGf9FdSWKyrGT7O/h8DvbPso3lPDhYYxjmL.tInFSxnAAkjzRfMCew/.tVPkJMrSKhToVL2KUzKB9FMGWZ1" -b -K
    BECOME password:
    [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work
    properly.
    rhhost2.localnet.com | CHANGED => {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/libexec/platform-python"
        },
        "changed": true,
        "comment": "",
        "create_home": true,
        "group": 1003,
        "home": "/home/user4",
        "name": "user4",
        "password": "NOT_LOGGING_PASSWORD",
        "shell": "/bin/bash",
        "state": "present",
        "system": false,
        "uid": 1003
    }

[user1@rhhost1 ~]$ ansible --version
    ansible 2.9.10
      config file = /etc/ansible/ansible.cfg
      configured module search path = ['/home/user1/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
      ansible python module location = /usr/lib/python3.6/site-packages/ansible
      executable location = /usr/bin/ansible
      python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
于 2020-07-13T04:36:33.997 回答