5

Try to set a password randomly and create user with it:

vars:

users:
  - username: myuser
    password: "{{ 99999999999999 | random | to_uuid }}"

role:

- name : Add user accounts
  user:
    name: "{{ item.username }}"
    shell: /bin/bash
    groups: sudo,users,admin,adm,ubuntu
    password: '{{ item.password | password_hash("sha512") }}'
  become: true
  with_items: "{{ users }}"

- name: Store users' password in file
  copy:
    content: "{{ item.password }}"
    dest: /home/{{ item.username }}/password.txt
    mode: 0600
    owner: "{{ item.username }}"
  become: true
  with_items: "{{ users }}"

This is provisioned from an OSX ansible workstation, and the instance the user account is provisioned on is an Ubuntu 14.04 instance.

These steps complete without error, and the password.txt is created in the users home folder and populated with a uuid string, which I would expect to be the password. There is also a sha512-like string added to /etc/shadow for the relevant user.

/home/myuser/password.txt:

df81ab5c-c06c-5a2c-b08a-28d52b3a2f6f

/etc/shadow:

myuser:$6$rounds=656000$YKieOBXtL6UKP0lO$5zgyi9D9tmbINkoDVL0EghbCCYInKdyPJ2UFnrDFLAQkB2x7sWBrjKS0uTySvcDGF6jUN1noMvaVD9jp/Dxx71:17193:0:99999:7:::

/var/log/auth.log after su myuser failure:

pam_unix(su:auth): authentication failure; logname=ubuntu uid=1000 euid=0 tty=/dev/pts/1 ruser=ubuntu rhost=  user=myuser
pam_authenticate: Authentication failure
FAILED su for myuser by ubuntu
- /dev/pts/1 ubuntu:myuser

The result however is that the password doesn't work with commands such as sudo -i as the user, or su myuser from another account.

I've read that OSX vs Linux can result in incompatible keys, but as far as I can tell one of passlib's (which |password_hash('sha512') selling points is cross-platform compatibility.

Am I using these tasks/filters correctly or am I missing something?

DanH
  • 171
  • There's a question mark in the post, however I don't really understand what the question is. – techraf Jan 26 '17 at 00:43
  • Hehe, OK I'll rephrase, though the keywords are doesn't work :) – DanH Jan 26 '17 at 07:24
  • What OS? What do you mean by "the password doesn't work"? Did you somehow determine what the random value was and tried to login with it? How did you try to login? Is the user created? Does a valid hash show up in /etc/shadow for the new user? – GnP Jan 26 '17 at 18:36
  • @GnP good questions, updated – DanH Jan 27 '17 at 10:51
  • Thanks! Two more things, can you add the full /etc/shadow line for the user and the content for /var/log/auth.log when you try to login? – GnP Jan 27 '17 at 11:33
  • Everything looks good to me. Ansible and python version? Oh, and the content of /etc/pam.d/common-password – GnP Jan 27 '17 at 14:42
  • 1
    On a second look, neither shadow(5) nor crypt(3) mention that rounds parameter... my mkpasswd doesn't add it and neither does my ansible... could you try this hash for that same password: $6$a1B0cXMrDXuUyF2X$lNOE6BciwSN46NqfVk6GP.Xpu8wSMqrjsJPkUSfbQnPPht/2JcdKwAzNPJF5PdhCQAdGuAm0yxmQyLE9eSFiY0 – GnP Jan 27 '17 at 14:52

1 Answers1

1

I just wanted to throw this out there after working on it for 5 years and 9 months. :) I don't know if it had anything to do with the filter, but I have always installed the community.general collection in galaxy and used this filter to generate password, and everything works perfectly. Again, 5 years after this question was asked.

---
  - name: Test
    hosts: localhost
    vars:
      username: "Jimmy"
      password: lookup('community.general.random_string', base64=true)
    tasks:
      - name : Add user accounts
        user:
          name: "{{ username }}"
          password: '{{ password | password_hash("sha512") }}'
        become: true
ImACarrot
  • 83