使用查找插件检查SHA512密码哈希

时间:2017-05-03 05:27:23

标签: ansible lookup

在我的Ansible git repo中,我有一个包含这样内容的var文件

vault_users:
  alex:
    password: $6$PwhqORmvn$tXctAkh9RLs60ZFhn9Cxz/eLZEx1UhQkbDIoM6xWsk7M18TApDd9/b8CHJnEiaiQE2YJ8mqu6kvsGuImDt4dy/
  danny:
    password: $6$PwhqORmvn$tXctAkh9RLs60ZFhn9Cxz/eLZEx1UhQkbDIoM6xWsk7M18TApDd9/b8CHJnEiaiQE2YJ8mqu6kvsGuImDt4dy/
  gary:
    password: $6$PwhqORmvn$tXctAkh9RLs60ZFhn9Cxz/eLZEx1UhQkbDIoM6xWsk7M18TApDd9/b8CHJnEiaiQE2YJ8mqu6kvsGuImDt4dy/

现在,我想检查此var文件中的密码哈希值是否与远程服务器上的/etc/shadow文件中的密码相匹配。我知道可以混合Ansible和bash / python脚本来获得我想要的东西。我想知道是否可以使用查找插件或其他一些Ansible功能使用纯Ansible playbooks(没有bash / python脚本)来做到这一点。

1 个答案:

答案 0 :(得分:2)

如果lineinfile模块返回“已更改”,您可以使用line in file来检查行是否已更改,注册结果并将其存储在另一个变量中。

不幸的是,由于this bug你不能简单地在lineinfile模块中使用with_items和backrefs来检查字符串是否有效,所以我使用了一些包含hack。

所以我们有一个名为playbook.yml的剧本和名为checkpasswords.yml的任务,让我们解释每个。

playbook.yml 

- hosts: localhost
  tasks:
    # execute checkpasswords.yml for each user in vault_users dict 
    # and pass each user (or item) as {{ user }} variable to included task
    - include: checkpasswords.yml user="{{ item }}"
      with_items: "{{ vault_users }}"
    - debug: msg="{{ changed_users|default([]) }}"

checkpasswords.yml 

- name: check for user and hash
  lineinfile:
    dest: /etc/shadow
    regexp: '{{ user }}:([^:]+):(.*)'
    # replace sting with user:hashed_password:everything_that_remains
    line: '{{ user }}:{{ vault_users[user].password }}:\2'
    state: present
    backrefs: yes
  register: u

- name: changed users
  set_fact:
    # set changed_users list to [] if not present and add [user] element
    # when user password has changed
    changed_users: "{{ changed_users|default([]) + [user] }}"
  when: u.changed

hashvars.yml 

vault_users:
  root:
    password: "nothing to see here"
  my_user:
    password: "nothing here"

我将变量包含到hashvars.yml文件中,并为其中的my_user和root更改了哈希值。因此,执行此剧本的结果将类似于下面的输出,不要忘记 - 检查! 

ansible-playbook playbook.yml -e @hashvars.yml --check

   PLAY [localhost] ***************************************************************

   TASK [setup] *******************************************************************
   ok: [localhost]

   TASK [include] *****************************************************************
   included: /home/my_user/workspace/so/checkpasswords.yml for localhost
   included: /home/my_user/workspace/so/checkpasswords.yml for localhost

   TASK [check for user and hash] *************************************************
   changed: [localhost]

   TASK [changed users] ***********************************************************
   ok: [localhost]

   TASK [check for user and hash] *************************************************
   changed: [localhost]

   TASK [changed users] ***********************************************************
   ok: [localhost]

   TASK [debug] *******************************************************************
   ok: [localhost] => {
       "msg": [
           "my_user",
           "root"
       ]
   }

   PLAY RECAP *********************************************************************
   localhost                  : ok=8    changed=2    unreachable=0    failed=0
相关问题
最新问题