在ansible中为linux用户幂等设置密码
在尝试使用模块在ansible中为linux用户幂等设置密码,ansible,Ansible,在尝试使用模块user管理用户密码时,我每次在执行playbook时都会收到更改密码的通知,这种行为不依赖于ansible版本(在所有主要的2.0-2.5版本上测试)、目标发行版(在稳定的CentOS、Debian和Ubuntu上测试)或update\u密码选项 - name: This is in vault in real playbook of course set_fact: testuser_password : '123456' - name: Manage test
userupdate\u密码- name: This is in vault in real playbook of course
set_fact:
testuser_password : '123456'
- name: Manage test user
user:
name: testuser
uid: 1001
state: present
password: "{{ testuser_password |password_hash('sha512')}}"
- name: This is in vault in real playbook of course
set_fact:
testuser_password : '123456'
- name: Check if user exists
shell: "getent shadow testuser | awk -F: '{ print $2}'"
changed_when: false
check_mode: false
register: userexists
- name: Get salt for existing password
shell: "getent shadow testuser | awk -F$ '{ print $3}'"
changed_when: false
check_mode: false
register: passwordsalt
when: userexists.stdout != ""
- name: Encrypt local password with salt
set_fact:
localsaltedpass: "{{ testuser_password |password_hash('sha512', passwordsalt.stdout )}}"
when: userexists.stdout != ""
- name: Update remote password
user:
name: "testuser"
uid: 1001
password: "{{ testuser_password |password_hash('sha512')}}"
when:
- userexists.stdout != ""
- userexists.stdout != localsaltedpass
- name: Create test user if it does not exist
user:
name: "testuser"
uid: 1001
state: present
password: "{{ testuser_password |password_hash('sha512')}}"
when: userexists.stdout == ""
虽然这种方法解决了这个问题,但对我来说并不太好。有没有办法以正确的方式对用户密码进行幂等管理?要使设置密码幂等,需要在password_hash函数中添加一个salt作为第二个参数,如下所示:
- name: This should be in a vault in real playbook of course
set_fact:
user_password: 'passw0rd'
user_salt: 'some_salt'
- name: Creating testuser
user:
name: "username"
password: "{{ user_password | password_hash('sha512', user_salt) }}"
state: present
shell: /bin/bash
update_password: on_create
非常感谢@向正确的方向推进。请注意,像下划线这样的特殊字符会导致:{“msg”:“crypt.crypt不支持'sha512_crypt'算法”} 所以现在,盐里没有下划线或其他特殊的字符 提到: 密码_散列可用的所有散列方案仅支持[./0-9A-Za-z]所述正则表达式范围内的字符 除此之外,盐的长度要求也有所不同: md5:0-8个字符 bcrypt:22个字符 sha256:0-16个字符
sha512:0-16个字符为什么不在你的剧本/保险库中储存盐?伙计,你真是个天才!非常感谢你朝着正确的方向踢了一脚。你能回答这个问题吗,这样我就可以把你的答案标记为正确答案了?有一个从@techraf删除的答案也有同样的想法。我会把它标记为取消删除。