archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Allow 13 asterisk characters in password field without warning (#54893)

Browse Source 
On OpenBSD, 13 asterisk characters as a password hash, marks the
account as disabled. Otherwise daily(8) script which executes
security(8) will email operator about not properly locked accounts.

Before the diff, we see following warning:

> [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.

After the diff, warning is gone.
pull/61790/head
kucharskim 5 years ago committed by ansibot
parent de826b437d
commit 1dea661ce8
3 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File

2
changelogs/fragments/openbsd-disabled-account-no-warning-for-passwd.yaml
Unescape Escape View File

@ -0,0 +1,2 @@
bugfixes:
- user - allow 13 asterisk characters in password field without warning

5
lib/ansible/modules/system/user.py
Unescape Escape View File

@ -93,6 +93,7 @@ options:
- Optionally set the user's password to this crypted value. - Optionally set the user's password to this crypted value.
- On macOS systems, this value has to be cleartext. Beware of security issues. - On macOS systems, this value has to be cleartext. Beware of security issues.
- To create a disabled account on Linux systems, set this to C('!') or C('*'). - To create a disabled account on Linux systems, set this to C('!') or C('*').
- To create a disabled account on OpenBSD, set this to C('*************').
- See U(https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) - See U(https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module)
for details on various ways to generate these password values. for details on various ways to generate these password values.
type: str type: str
@ -514,8 +515,8 @@ class User(object):
if self.module.params['password'] and self.platform != 'Darwin': if self.module.params['password'] and self.platform != 'Darwin':
maybe_invalid = False maybe_invalid = False
# Allow setting the password to * or ! in order to disable the account # Allow setting certain passwords in order to disable the account
if self.module.params['password'] in set(['*', '!']): if self.module.params['password'] in set(['*', '!', '*************']):
maybe_invalid = False maybe_invalid = False
else: else:
# : for delimiter, * for disable user, ! for lock user # : for delimiter, * for disable user, ! for lock user

9
test/integration/targets/user/tasks/main.yml
Unescape Escape View File

@ -105,11 +105,18 @@
password: '*' password: '*'
register: test_user_encrypt4 register: test_user_encrypt4
- name: there should be no warnings when setting the password to '!' and '*' - name: change password to '*************'
user:
name: ansibulluser
password: '*************'
register: test_user_encrypt5
- name: there should be no warnings when setting the password to '!', '*' or '*************'
assert: assert:
that: that:
- "'warnings' not in test_user_encrypt3" - "'warnings' not in test_user_encrypt3"
- "'warnings' not in test_user_encrypt4" - "'warnings' not in test_user_encrypt4"
- "'warnings' not in test_user_encrypt5"
when: ansible_facts.system != 'Darwin' when: ansible_facts.system != 'Darwin'

Write Preview
Loading…
Cancel
Save