我正在尝试在运行ubuntu-16.04 Xenial的流浪虚拟机上创建新用户deployer。用户创建似乎有效(用户名被添加到/etc/passwd)
$ cat /etc/passwd | grep deployer
deployer1:x:1001:1001::/home/deployer1:/bin/bash
deployer2:x:1002:1003::/home/deployer2:
deployer1000:x:1003:1004::/home/deployer1000:/bin/bash
deployershell:x:1004:1005::/home/deployershell:/bin/bash
但我无法直接通过ssh
$ ssh deployer@local-box-2
deployer@local-box-2's password:
Permission denied, please try again.
deployer@local-box-2's password:
Permission denied, please try again.
su deployer进行ssh后,也不会通过vagrant:
vagrant@local-box-2:~$ su deployer
Password:
su: Authentication failure
我尝试使用ad-hoc ansible命令创建用户:
$ ansible all -m user -a 'name=deployer group=admin update_password=always password=rawpass2 state=present shell=/bin/bash force=yes' -u vagrant -b -vvvv
local-box-2 | SUCCESS => {
"append": false,
"changed": true,
"comment": "",
"group": 1001,
"home": "/home/deployer",
"invocation": {
"module_args": {
"append": false,
"comment": null,
"createhome": true,
"expires": null,
"force": true,
"generate_ssh_key": null,
"group": "admin",
"groups": null,
"home": null,
"login_class": null,
"move_home": false,
"name": "deployer1",
"non_unique": false,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"remove": false,
"seuser": null,
"shell": "/bin/bash",
"skeleton": null,
"ssh_key_bits": 0,
"ssh_key_comment": "ansible-generated on local-box-2",
"ssh_key_file": null,
"ssh_key_passphrase": null,
"ssh_key_type": "rsa",
"state": "present",
"system": false,
"uid": null,
"update_password": "always"
},
"module_name": "user"
},
"move_home": false,
"name": "deployer",
"password": "NOT_LOGGING_PASSWORD",
"shell": "/bin/bash",
"state": "present",
"uid": 1001
}
并通过运行剧本
$ ansible-playbook local-box.yml
- name: Add 'deployer' user
hosts: local-box-2
gather_facts: false
remote_user: vagrant
become: true
become_method: sudo
become_user: root
tasks:
- remote_user: vagrant
become: true
become_method: sudo
become_user: root
group:
name: admin
state: present
- remote_user: vagrant
become: true
become_method: sudo
become_user: root
user:
name: deployer
groups: admin
append: yes
shell: /bin/bash
password: rawpass2
state: present
同样,两者都创建了用户,但显然没有人设置密码。
你的理由是什么?
稍后编辑:
显然,如果我将原始密码传递给哈希过滤器,那么我将能够使用(未哈希的)原始密码登录。我很想解释为什么会这样。
password: "{{ 'rawpass2' | password_hash('sha512') }}"
注意:的 此answer让我尝试使用过滤器。
答案 0 :(得分:0)
Ansible没有设置密码;问题在于密码如何在linux上运行。
linux用户密码以散列形式存储,明文不存储在系统的任何位置。当您登录密码时,您输入的内容将被哈希并与存储的值进行比较。
在ansible的用户创建过程中指定密码时,必须是已经哈希的表单,如问题中的文档链接所示。
如果你在创建用户的系统上查看/ etc / shadow,你会看到类似的东西(第二个字段是密码值):
deployer:rawpass2:17165:0:99999:7:::
显示您提供的字符串直接用作散列密码值。当然,当您尝试登录并指定rawpass2时,登录代码会对其进行哈希处理,并将其与存储的值进行比较,但它们并不匹配。这就是为什么你必须将已经散列的值传递给ansible。
答案 1 :(得分:0)
应该散列ansible用户密码。 https://github.com/ansible/ansible-examples/blob/master/language_features/user_commands.yml
请点击文档“http://docs.ansible.com/ansible/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module”,以便在ansible中生成密码
- remote_user: vagrant
become: true
become_method: sudo
become_user: root
user:
name: deployer
groups: admin
append: yes
shell: /bin/bash
password: hass_value_of_rawpass2
state: present
创建rawpass2的哈希密码为例:
cmadmin@ansible:~$ mkpasswd --method=sha-512
Password: <rawpass2>
$6dsdwqrc3124JsO9gVJZUWa$sgKxTKz4RbZnIZIvhotWHAHQL1o3/V5LTrrEJCe9DDkTW3Daut.nIpU9Qa0kDWdMZSaxvV1