0

I'm facing an issue while using Ansible 2.9.27 on RHEL 7 to automate my infrastructure, specifically when working with encrypted passwords in my tasks.

When utilizing the password option of the ansible.builtin.user module to provide an encrypted password, playbook runs fine but Ansible displays a message

[WARNING]: The input password appears not to have been hashed.

I generate the encrypted passwords using the password_hash filter in Jinja. Here's an example of the code I'm using:

- name: Create user with encrypted password
  ansible.builtin.user:
    name: user
    password: "{{ mypw | password_hash('sha512', mypw_salt) }}"

I store my variables in a separate file. Despite adhering to the correct syntax and guidelines, I haven't been able to resolve this.

Am I missing something?

U880D
  • 1,017
  • 2
  • 12
  • 18
sebelk
  • 682
  • 4
  • 13
  • 32
  • 1
    You 're missing the correct [syntax](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_filters.html#hashing-and-encrypting-strings-and-passwords) `{{ mypw | password_hash('sha512', mypw_salt) }}` – Vladimir Botka Jun 26 '23 at 21:32
  • @VladimirBotka Thanks I've copy-pasted bad, so I've edited, but the error is the same. – sebelk Jun 26 '23 at 21:35
  • I've tested same playbook on Fedora 38 (ansible-7.6.0-1.fc38.noarch) and it worked. I think that it's a version issue, but I can't I can't assert it emphatically. – sebelk Jun 26 '23 at 21:40

1 Answers1

0

In a setup with RHEL 7.9, Ansible 2.9.27, Python 2.7.5, I am not able to produce an issue. A minimal example playbook

---
- hosts: localhost
  become: true
  gather_facts: false

  vars:

    PASSWORD: TEST

  tasks:

  - name: Configure or update user
    user:
      name: "TestUser"
      password: "{{ PASSWORD | password_hash('sha512', 'salt') }}"

results into an output of

TASK [Configure or update user] ******
changed: [localhost]

Other Example

Just a note ...

When utilizing the password option of the ansible.builtin.user module to provide an encrypted password, playbook runs fine but Ansible displays ...

---
- hosts: localhost
  become: true
  gather_facts: false

  vars:

    PASSWORD: TEST

  tasks:

  - name: Configure or update user
    user:
      name: "TestUser"
      password: "{{ PASSWORD }}"

will result into an output of

TASK [Configure or update user] ******
[WARNING]: The input password appears not to have been hashed. ...

It is a WARNING message not an ERROR. It means you should provide the password hashed. Furthermore it is not possible to provide an encrypted password (string) without former decryption. See user module – Manage user accounts - Parameter password

If provided, set the user’s password to the provided encrypted hash (Linux) or plain text password (macOS).

Please take note about the fundamental difference between Hashing and Encryption algorithms.

U880D
  • 1,017
  • 2
  • 12
  • 18
  • 1
    your feedback is useful. It's weird why in my case it shows that warning. Your note it's not the case mentiones in my playbook. The password is AFAIK hashed by the jinja filter. Because of that, I don't understand why Ansible complains. – sebelk Jun 28 '23 at 02:23