From 4a1ae4083b6eb74e5c26cef18480c0ed61cbc02c Mon Sep 17 00:00:00 2001 From: Simon Date: Wed, 10 Sep 2025 21:25:33 +0300 Subject: [PATCH 1/5] docs(user module) - Clarify behavior for invalid password hashes --- lib/ansible/modules/user.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/ansible/modules/user.py b/lib/ansible/modules/user.py index b81258153fd..902a24f2cd5 100644 --- a/lib/ansible/modules/user.py +++ b/lib/ansible/modules/user.py @@ -92,6 +92,11 @@ options: - B(Linux/Unix/POSIX:) Enter the hashed password as the value. - See L(FAQ entry,https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) for details on various ways to generate the hash of a password. + - | + !!! Warning + + If the value does not match a valid hash format, it is written directly to C(/etc/shadow). + This typically breaks authentication but can be used intentionally to lock an account. - To create an account with a locked/disabled password on Linux systems, set this to V('!') or V('*'). - To create an account with a locked/disabled password on OpenBSD, set this to V('*************'). - B(OS X/macOS:) Enter the cleartext password as the value. Be sure to take relevant security precautions. From 7acac155bf88046b3cbdbe4515a26caf2cc55ec6 Mon Sep 17 00:00:00 2001 From: Simon Chernyk Date: Wed, 10 Sep 2025 22:00:18 +0300 Subject: [PATCH 2/5] Update lib/ansible/modules/user.py Co-authored-by: Abhijeet Kasurde --- lib/ansible/modules/user.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/ansible/modules/user.py b/lib/ansible/modules/user.py index 902a24f2cd5..9a52cb59a49 100644 --- a/lib/ansible/modules/user.py +++ b/lib/ansible/modules/user.py @@ -92,11 +92,8 @@ options: - B(Linux/Unix/POSIX:) Enter the hashed password as the value. - See L(FAQ entry,https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) for details on various ways to generate the hash of a password. - - | - !!! Warning - - If the value does not match a valid hash format, it is written directly to C(/etc/shadow). - This typically breaks authentication but can be used intentionally to lock an account. + - WARNING: If the value does not match a valid hash format, it is written directly to C(/etc/shadow). The module has no way to verify/validate the value. + This typically breaks authentication, but can be used intentionally to lock an account. - To create an account with a locked/disabled password on Linux systems, set this to V('!') or V('*'). - To create an account with a locked/disabled password on OpenBSD, set this to V('*************'). - B(OS X/macOS:) Enter the cleartext password as the value. Be sure to take relevant security precautions. From 553aace50d0f0ae1f644967f44e55d80d1491d6e Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Wed, 10 Sep 2025 12:09:15 -0700 Subject: [PATCH 3/5] Apply suggestions from code review --- lib/ansible/modules/user.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/ansible/modules/user.py b/lib/ansible/modules/user.py index 9a52cb59a49..2e3772264d1 100644 --- a/lib/ansible/modules/user.py +++ b/lib/ansible/modules/user.py @@ -92,8 +92,9 @@ options: - B(Linux/Unix/POSIX:) Enter the hashed password as the value. - See L(FAQ entry,https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) for details on various ways to generate the hash of a password. - - WARNING: If the value does not match a valid hash format, it is written directly to C(/etc/shadow). The module has no way to verify/validate the value. - This typically breaks authentication, but can be used intentionally to lock an account. + - "WARNING: If the value does not match a valid hash format, it is written directly to C(/etc/shadow). + The module has no way to verify/validate the value. + This typically breaks authentication, but can be used intentionally to lock an account." - To create an account with a locked/disabled password on Linux systems, set this to V('!') or V('*'). - To create an account with a locked/disabled password on OpenBSD, set this to V('*************'). - B(OS X/macOS:) Enter the cleartext password as the value. Be sure to take relevant security precautions. From 643910552ae5abc09cc3bd599263611c4bafa84f Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Wed, 10 Sep 2025 12:18:32 -0700 Subject: [PATCH 4/5] Remove trailing space --- lib/ansible/modules/user.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ansible/modules/user.py b/lib/ansible/modules/user.py index 2e3772264d1..ae4d13ad509 100644 --- a/lib/ansible/modules/user.py +++ b/lib/ansible/modules/user.py @@ -92,7 +92,7 @@ options: - B(Linux/Unix/POSIX:) Enter the hashed password as the value. - See L(FAQ entry,https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) for details on various ways to generate the hash of a password. - - "WARNING: If the value does not match a valid hash format, it is written directly to C(/etc/shadow). + - "WARNING: If the value does not match a valid hash format, it is written directly to C(/etc/shadow). The module has no way to verify/validate the value. This typically breaks authentication, but can be used intentionally to lock an account." - To create an account with a locked/disabled password on Linux systems, set this to V('!') or V('*'). From 66b9c8fbb5966fc06923e38c30e9a2631c982ffb Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Tue, 23 Sep 2025 08:28:28 -0700 Subject: [PATCH 5/5] Review request Signed-off-by: Abhijeet Kasurde --- lib/ansible/modules/user.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/ansible/modules/user.py b/lib/ansible/modules/user.py index ae4d13ad509..97b8bf2f715 100644 --- a/lib/ansible/modules/user.py +++ b/lib/ansible/modules/user.py @@ -92,9 +92,8 @@ options: - B(Linux/Unix/POSIX:) Enter the hashed password as the value. - See L(FAQ entry,https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#how-do-i-generate-encrypted-passwords-for-the-user-module) for details on various ways to generate the hash of a password. - - "WARNING: If the value does not match a valid hash format, it is written directly to C(/etc/shadow). - The module has no way to verify/validate the value. - This typically breaks authentication, but can be used intentionally to lock an account." + - The value is written directly to C(/etc/shadow) without any validation. The module has no way to verify/validate the value. + This typically breaks authentication, but can be used intentionally to lock an account. - To create an account with a locked/disabled password on Linux systems, set this to V('!') or V('*'). - To create an account with a locked/disabled password on OpenBSD, set this to V('*************'). - B(OS X/macOS:) Enter the cleartext password as the value. Be sure to take relevant security precautions.