3:45 p.m.
On sie 26, Julien Lecomte wrote:
Hello
Hi, Julien.
What I want to achieve is that the root password be the same on all
my
hosts, and that this value be read statically from my configuration
such as:
root_account__password: foobar
root_account__password_update: True
The playbook runs fine, and no errors occur, yet when trying to do a
simple login with the password it doesn't work. The previous root
password also no longer works.
Luckily I don't lock myself out (sudo still works).
What am I doing wrong?
The 'root_account__password' value is pasted "as-is" by Ansible in the
'/etc/shadow' "password" field. You can check the contents of
'/etc/shadow' on
the host and see the 'foobar' value, which is incorrect.
To do what you want, you can either put the file with the password and salt in
the 'secret/' directory (better, more secure) and point the password lookup
plugin at it:
#v+
root_account__password: '{{ lookup("password", secret
+ "/credentials/shared/root_account/password "
+ "encrypt=sha512_crypt length=32") }}'
#v-
Remember that the file has format:
#v+
<password> salt=<salt>
#v-
Check the existing root account passwords to see how they look.
Alternatively, if you want to keep the password and salt in the inventory
itself, you can use the 'password_hash' Ansible filter:
#v+
root_account__password: '{{ "foobar"
| password_hash("sha512",
(65534 | random(seed=inventory_hostname))
| string) }}'
#v-
This version will use the 'inventory_hostname' value as salt, so the passwords
in their hashed form are at least different on each host.
-- Maciej