0

I want to use Ansible te create user on my OS upon initialization of the instance. To do so I have a playbook in which I defined a role. In this role I have the following:

  name: add users to local system
  user:
   name: "{{ item.username }}"
   password: "{{ item.password }}"
   uid: "{{ item.uid }}"
   group: "{{ item.group }}"
 with_items: "{{ Ansible_Vault_SecretsFile }}"

This way I can specify the details of the users (username, password, uid and group) in the different secrets files I have for different environments. The password in the secrets file is in plain text. Since it is written to /etc/shadow it needs to be hashed. Is there a way to automatically hash the password variable in this role?

Edit: To clarify further, I know the secrets file is encrypted, but when the contents in this case usernames and passwords are decrypted before they are stored in the /etc/shadow file.

My secrets file looks like this:

Ansible_Vault_SecretsFile:
 username: user1
 password: MyPassword
 uid: 100
 group: users

 username: user2
 password: MyPassword2
 uid: 101
 group: users

the role iterates through the secrets file and in this case creates two users. In the /etc/shadow file the passwords are stored as MyPassword and Mypassword2, but in order to log in those plaintext passwords need to be hashed. I'm looking for a way to do this automatically.

Tinuva
  • 33
  • 2
  • 5

2 Answers2

1

Here is the documentation for creating password, This will help you!

1 . The mkpasswd utility that is available on most Linux systems is a great option

mkpasswd --method=sha-512

2 . If this utility is not installed on your system (e.g. you are using OS X) then you can still easily generate these passwords using Python. First, ensure that the Passlib password hashing library is installed

pip install passlib

python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.using(rounds=5000).hash(getpass.getpass())"
Vijay Mohan
  • 1,056
  • 14
  • 34
  • Thanks for your answer, I'm looking for a way to integrate this in my role. So my role creates a couple of users and the passwords recovered from the secrets file are hashed using one of your methods. – Tinuva May 17 '17 at 07:08
0

If you create / encrypt the secret files with ansible-vault it isn't plain text.

gile
  • 5,580
  • 1
  • 25
  • 31
  • 1
    edited my main post, I know the secrets file is encrypted, but the contents are decrypted when you use them in this way. – Tinuva May 17 '17 at 07:03