[stable-2.9] Allow 13 asterisk characters in password field without warning (#54893)

On OpenBSD, 13 asterisk characters as a password hash, marks the
account as disabled. Otherwise daily(8) script which executes
security(8) will email operator about not properly locked accounts.

Before the diff, we see following warning:

> [WARNING]: The input password appears not to have been hashed. The 'password' argument must be encrypted for this module to work properly.

After the diff, warning is gone.
(cherry picked from commit 1dea661ce8)

Co-authored-by: kucharskim <mikolaj@kucharski.name>
pull/61818/head
kucharskim 5 years ago committed by Toshio Kuratomi
parent 3558d38b17
commit 4cc9ee950f

@ -0,0 +1,2 @@
bugfixes:
- user - allow 13 asterisk characters in password field without warning

@ -93,6 +93,7 @@ options:
- Optionally set the user's password to this crypted value. - Optionally set the user's password to this crypted value.
- On macOS systems, this value has to be cleartext. Beware of security issues. - On macOS systems, this value has to be cleartext. Beware of security issues.
- To create a disabled account on Linux systems, set this to C('!') or C('*'). - To create a disabled account on Linux systems, set this to C('!') or C('*').
- To create a disabled account on OpenBSD, set this to C('*************').
- See U(https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) - See U(https://docs.ansible.com/ansible/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module)
for details on various ways to generate these password values. for details on various ways to generate these password values.
type: str type: str
@ -514,8 +515,8 @@ class User(object):
if self.module.params['password'] and self.platform != 'Darwin': if self.module.params['password'] and self.platform != 'Darwin':
maybe_invalid = False maybe_invalid = False
# Allow setting the password to * or ! in order to disable the account # Allow setting certain passwords in order to disable the account
if self.module.params['password'] in set(['*', '!']): if self.module.params['password'] in set(['*', '!', '*************']):
maybe_invalid = False maybe_invalid = False
else: else:
# : for delimiter, * for disable user, ! for lock user # : for delimiter, * for disable user, ! for lock user

@ -105,11 +105,18 @@
password: '*' password: '*'
register: test_user_encrypt4 register: test_user_encrypt4
- name: there should be no warnings when setting the password to '!' and '*' - name: change password to '*************'
user:
name: ansibulluser
password: '*************'
register: test_user_encrypt5
- name: there should be no warnings when setting the password to '!', '*' or '*************'
assert: assert:
that: that:
- "'warnings' not in test_user_encrypt3" - "'warnings' not in test_user_encrypt3"
- "'warnings' not in test_user_encrypt4" - "'warnings' not in test_user_encrypt4"
- "'warnings' not in test_user_encrypt5"
when: ansible_facts.system != 'Darwin' when: ansible_facts.system != 'Darwin'

Loading…
Cancel
Save