Search code examples
ansibleansible-vault

module user doesn't accept encrypt password generated by ansible-vault?


Recently I used 'user' module to create user with password provided in vars/main.yml

- name: Create pamuser
  user:
    name: pamuser
    password: "{{ pamuser_pass }}"
    groups: wheel
    append: yes
  tags: pamuser

Once run a playbook, it gives me this warning

TASK [prerequisite : Create pamuser] *****************************************************************************
[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
module to work properly.

Then I use ansible-vault encrypt_string command to encrypt only the specific variable "pamuser_pass"by replace plaintext with vault password that ansible-vault gave me

contents in /vars/main.yml

---
# vars file for prerequisite role
pamuser_pass: !vault |
              $ANSIBLE_VAULT;1.1;AES256
              65643265346231613137396339303834396663383466636631646337303235306137386534396266
              3364333534616238396465626436376561323762303139620a376630643131323133336164373237
              64663332363233303032636638306566303034393137636533373332383334333439663930613232
              3737

then I remove current pamuser and re-run the playbook with command

ansible-playbook playbook.yaml --tags "pamuser" --ask-pass -K --ask-vault-pass

Along with the running process, it still shows the warning

[WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this
    module to work properly.

the outcome seem fine with id pamuser but once logging in with ssh [email protected] then put the regular password, the password doesn't work. I can't login with that pamuser.

Is there something that I missed?


Solution

  • You should be following one of the recommended ways mentioned here to provide the hash. It's not the general vault encryption in ansible. This is specific to the user module. Below is from the doc:

    How do I generate encrypted passwords for the user module? Ansible ad-hoc command is the easiest option:

        ansible all -i localhost, -m debug -a "msg={{ 'mypassword' | password_hash('sha512',
      'mysecretsalt') }}"
    

    The mkpasswd utility that is available on most Linux systems is also a great option:

    mkpasswd --method=sha-512