使用Ansible在Vagrant框中創建Ubuntu用戶無法創建密碼

Question

我試圖在運行ubuntu-16.04 Xenial的流浪虛擬機上創建新用戶deployer。用戶創建似乎工作（用戶名添加到/etc/passwd）

$ cat /etc/passwd | grep deployer 
deployer1:x:1001:1001::/home/deployer1:/bin/bash 
deployer2:x:1002:1003::/home/deployer2: 
deployer1000:x:1003:1004::/home/deployer1000:/bin/bash 
deployershell:x:1004:1005::/home/deployershell:/bin/bash 

但是我無法不直接通過ssh登錄：

$ ssh deployer@local-box-2 
deployer@local-box-2's password: 
Permission denied, please try again. 
deployer@local-box-2's password: 
Permission denied, please try again. 

也不能通過su deployer與SSH-ING後現有用戶vagrant：

vagrant@local-box-2:~$ su deployer 
Password: 
su: Authentication failure 

我試着用兩個特設ansible命令來創建用戶：

$ ansible all -m user -a 'name=deployer group=admin update_password=always password=rawpass2 state=present shell=/bin/bash force=yes' -u vagrant -b -vvvv 


local-box-2 | SUCCESS => { 
    "append": false, 
    "changed": true, 
    "comment": "", 
    "group": 1001, 
    "home": "/home/deployer", 
    "invocation": { 
     "module_args": { 
      "append": false, 
      "comment": null, 
      "createhome": true, 
      "expires": null, 
      "force": true, 
      "generate_ssh_key": null, 
      "group": "admin", 
      "groups": null, 
      "home": null, 
      "login_class": null, 
      "move_home": false, 
      "name": "deployer1", 
      "non_unique": false, 
      "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", 
      "remove": false, 
      "seuser": null, 
      "shell": "/bin/bash", 
      "skeleton": null, 
      "ssh_key_bits": 0, 
      "ssh_key_comment": "ansible-generated on local-box-2", 
      "ssh_key_file": null, 
      "ssh_key_passphrase": null, 
      "ssh_key_type": "rsa", 
      "state": "present", 
      "system": false, 
      "uid": null, 
      "update_password": "always" 
     }, 
     "module_name": "user" 
    }, 
    "move_home": false, 
    "name": "deployer", 
    "password": "NOT_LOGGING_PASSWORD", 
    "shell": "/bin/bash", 
    "state": "present", 
    "uid": 1001 
} 

，並通過運行一個劇本

$ ansible-playbook local-box.yml 

- name: Add 'deployer' user 
    hosts: local-box-2 
    gather_facts: false 
    remote_user: vagrant 
    become: true 
    become_method: sudo 
    become_user: root 
    tasks: 
    - remote_user: vagrant 
     become: true 
     become_method: sudo 
     become_user: root 
     group: 
     name: admin 
     state: present 
    - remote_user: vagrant 
     become: true 
     become_method: sudo 
     become_user: root 
     user: 
     name: deployer 
     groups: admin 
     append: yes 
     shell: /bin/bash 
     password: rawpass2 
     state: present 

同樣，兩種創建用戶，但顯然他們沒有設置密碼。

你的原因可能是什麼？

後來編輯：

很顯然，如果我通過了原始密碼散列過濾器，然後我就可以使用（非散列）原始密碼登錄。我很想解釋爲什麼是這樣的情況。

password: "{{ 'rawpass2' | password_hash('sha512') }}" 

注： 這answer給我的想法使用過濾器試試。

Answer 1

Ansible無法設置密碼;問題在於密碼如何在Linux上工作。

linux用戶密碼以散列形式存儲，明文不存儲在系統的任何位置。當你登錄你輸入的密碼被散列並與存儲值進行比較。

如果在用戶創建過程中指定了一個密碼，它必須是已經散列的形式，正如您的問題中的文檔鏈接所述。

如果你看一下你創建你會看到類似這樣的用戶系統上的/ etc/shadow文件（第二個字段是密碼值）：

deployer:rawpass2:17165:0:99999:7:::

這表明你的您提供的字符串被直接用作散列密碼值。當然，當您嘗試登錄並指定rawpass2時，登錄代碼散列並將其與存儲的值進行比較，但它們不匹配。這就是爲什麼你必須將已經哈希的值傳遞給合理的。

Answer 2

應該對用戶密碼進行散列處理。https://github.com/ansible/ansible-examples/blob/master/language_features/user_commands.yml

請按照ansible

- remote_user: vagrant 
    become: true 
    become_method: sudo 
    become_user: root 
    user: 
    name: deployer 
    groups: admin 
    append: yes 
    shell: /bin/bash 
    password: hass_value_of_rawpass2 
    state: present 

文檔 「http://docs.ansible.com/ansible/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module」 進行了密碼生成要創建rawpass2的哈希密碼爲例：

 cmadmin@ansible:~$ mkpasswd --method=sha-512 
    Password: <rawpass2> 
$6dsdwqrc3124JsO9gVJZUWa$sgKxTKz4RbZnIZIvhotWHAHQL1o3/V5LTrrEJCe9DDkTW3Daut.nIpU9Qa0kDWdMZSaxvV1