Re: ansible and encrypting passwords using Blowfish hashing

Jiri B Thu, 19 Jan 2017 04:10:33 -0800

I managed to create this workaround (but there's seem to be an issue
with 'register' and 'changed_when' in OpenBSD specific 'user' module
task). It pre-encrypts passwords via preceding task.


Any comments?

j.

~~~
---
- name: Testing adding users on OpenBSD and Linux with vault
  hosts: all
  become: True
  vars_files:
    - secret.yml
  tasks:
    - name: Pre-encrypt passwords using Blowfish hashing
      command: encrypt -b a {{ item.password }}
      with_items: "{{ users }}"
      register: encpassword
      no_log: True
      changed_when: "encpassword.rc != 0"
      when: ansible_distribution == "OpenBSD"
      tags: openbsd

#    - debug: var=encpassword
#    - debug: msg="item.item.name={{item.item.name}}, 
item.stdout={{item.stdout}}"
#      with_items: "{{encpassword.results}}"

    - name: Create users from secret.yml on OpenBSD
      user:
        name: "{{ item.item.name }}"
        comment: "{{ item.item.name }} (ansible managed)"
        password: "{{ item.stdout }}"
      with_items: "{{ encpassword.results }}"
      when: ansible_distribution == "OpenBSD"
      no_log: True
# XXX bug?
#      register: createusers
#      changed_when: "createusers.rc != 0"
      tags: openbsd

    - name: Create users from secret.yml
      user:
        name: "{{ item.name }}"
        comment: "{{ item.name }} (ansible managed)"
        password: "{{ item.password | password_hash('sha512') }}"
      no_log: True
      with_items: "{{ users }}"
      when: ansible_distribution != "OpenBSD"
      tags: linux
~~~

~~~
$ ansible-playbook -i inventory --ask-vault-pass -l test_host test.yml 
Vault password:

PLAY [Testing adding users on OpenBSD and Linux with vault] ********************

TASK [setup] *******************************************************************
ok: [192.168.2.1]

TASK [Pre-encrypt passwords using Blowfish hashing] ****************************
ok: [192.168.2.1] => (item=(censored due to no_log))
ok: [192.168.2.1] => (item=(censored due to no_log))

TASK [Create users from secret.yml on OpenBSD] *********************************
changed: [192.168.2.1] => (item=(censored due to no_log))
changed: [192.168.2.1] => (item=(censored due to no_log))

TASK [Create users from secret.yml] ********************************************
skipping: [192.168.2.1] => (item=(censored due to no_log))
skipping: [192.168.2.1] => (item=(censored due to no_log))

PLAY RECAP *********************************************************************
192.168.2.1                : ok=3    changed=1    unreachable=0    failed=0
~~~

Re: ansible and encrypting passwords using Blowfish hashing

Reply via email to