ansible创建用户时密码问题的踩坑记录

Posted 2020-11-22 h404z

在学习ansible的时候，设置新用户时遇到坑，比较隐蔽，一而再地中招，于是记录下

第一次，直接用明文

$ ansible dev -m user -a "name=Nick password=123"
 [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.

192.168.90.3 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": true,
    "comment": "",
    "create_home": true,
    "group": 1026,
    "home": "/home/Nick",
    "name": "Nick",
    "password": "NOT_LOGGING_PASSWORD",
    "shell": "/bin/bash",
    "state": "present",
    "system": false,
    "uid": 1026
}

看返回应该是成功创建了，但反复尝试登录发现不成功，肯定不是输错密码，没有留意到warning，不过上网查一下，发现不能直接传明文

第二次，openssl加密
参考 https://blog.csdn.net/qq_37208612/article/details/74298208

$ openssl passwd -salt -1 "123"
-1DhUWqz2JZqc

$ ansible dev -m user -a "name=Nick password=-1DhUWqz2JZqc"
 [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.

192.168.90.3 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "append": false,
    "changed": true,
    "comment": "",
    "group": 1026,
    "home": "/home/Nick",
    "move_home": false,
    "name": "Nick",
    "password": "NOT_LOGGING_PASSWORD",
    "shell": "/bin/bash",
    "state": "present",
    "uid": 1026
}

然而发现还是无法登录，加密了，为什么还不行，继续查下去

第三次，看到用python脚本加密的方式

参考 https://blog.csdn.net/weixin_33672109/article/details/91658947

$ python -c "from passlib.hash import sha512_crypt; import getpass; print(sha512_crypt.using(rounds=5000).hash(getpass.getpass()))"
Password:
$6$oCdGPgCR9sbikR36$IhTedtlBZTVUoLrtn8T5DZ6Os4rX.IRHMrAXrqnAqFqsLQnDxLdmAeKgGfxAsTQ4Rq57I7tTlvELtQCN27Sdm/

$ ansible dev -m user -a "name=Nick password=$6$oCdGPgCR9sbikR36$IhTedtlBZTVUoLrtn8T5DZ6Os4rX.IRHMrAXrqnAqFqsLQnDxLdmAeKgGfxAsTQ4Rq57I7tTlvELtQCN27Sdm/"
 [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.

192.168.90.3 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "append": false,
    "changed": true,
    "comment": "",
    "group": 1026,
    "home": "/home/Nick",
    "move_home": false,
    "name": "Nick",
    "password": "NOT_LOGGING_PASSWORD",
    "shell": "/bin/bash",
    "state": "present",
    "uid": 1026
}

然而发现，还是无法登录，这就很水逆了。。。

通过查证发现密码并没有正确set进去

$ ansible dev -m shell -a "cat /etc/shadow | grep  Nick"
192.168.90.3 | CHANGED | rc=0 >>
Nick:.IRHMrAXrqnAqFqsLQnDxLdmAeKgGfxAsTQ4Rq57I7tTlvELtQCN27Sdm/:18225:0:99999:7:::

原因是$需要转义成$，然后就可以正常设置和登录了。

总结

# 1.获取密码的加密结果
$ python -c "from passlib.hash import sha512_crypt; import getpass; print(sha512_crypt.using(rounds=5000).hash(getpass.getpass()))"

# 2.把加密后的结果set进去，并记得转义
$ ansible dev -m user -a "name=Nick password=$6$oCdGPgCR9sbikR36$IhTedtlBZTVUoLrtn8T5DZ6Os4rX.IRHMrAXrqnAqFqsLQnDxLdmAeKgGfxAsTQ4Rq57I7tTlvELtQCN27Sdm/"

# 3.查询结果
$ ansible dev -m shell -a "cat /etc/shadow | grep  Nick"

# 4.删除用户
$ ansible dev -m user -a "name=Nick state=absent"