Join Log in
Score:0
avatar Server

Ansible: [WARNING]: The input password appears not to have been hashed

bq flag
sebelk

I'm facing an issue while using Ansible 2.9.27 on RHEL 7 to automate my infrastructure, specifically when working with encrypted passwords in my tasks.

When utilizing the password option of the ansible.builtin.user module to provide an encrypted password, playbook runs fine but Ansible displays a message

[WARNING]: The input password appears not to have been hashed.

I generate the encrypted passwords using the password_hash filter in Jinja. Here's an example of the code I'm using:

- name: Create user with encrypted password
  ansible.builtin.user:
    name: user
    password: "{{ mypw | password_hash('sha512', mypw_salt) }}"

I store my variables in a separate file. Despite adhering to the correct syntax and guidelines, I haven't been able to resolve this.

Am I missing something?

287
1 + 3
br flag
Vladimir Botka
You 're missing the correct [syntax](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_filters.html#hashing-and-encrypting-strings-and-passwords) `{{ mypw | password_hash('sha512', mypw_salt) }}`
1
Reply
bq flag
sebelk
@VladimirBotka Thanks I've copy-pasted bad, so I've edited, but the error is the same.
0
Reply
bq flag
sebelk
I've tested same playbook on Fedora 38 (ansible-7.6.0-1.fc38.noarch) and it worked. I think that it's a version issue, but I can't I can't assert it emphatically.
0
Reply
Score:0
U880D avatar Server
ca flag
U880D

In a setup with RHEL 7.9, Ansible 2.9.27, Python 2.7.5, I am not able to produce an issue. A minimal example playbook

---
- hosts: localhost
  become: true
  gather_facts: false

  vars:

    PASSWORD: TEST

  tasks:

  - name: Configure or update user
    user:
      name: "TestUser"
      password: "{{ PASSWORD | password_hash('sha512', 'salt') }}"

results into an output of

TASK [Configure or update user] ******
changed: [localhost]

Other Example

Just a note ...

When utilizing the password option of the ansible.builtin.user module to provide an encrypted password, playbook runs fine but Ansible displays ...

---
- hosts: localhost
  become: true
  gather_facts: false

  vars:

    PASSWORD: TEST

  tasks:

  - name: Configure or update user
    user:
      name: "TestUser"
      password: "{{ PASSWORD }}"

will result into an output of

TASK [Configure or update user] ******
[WARNING]: The input password appears not to have been hashed. ...

It is a WARNING message not an ERROR. It means you should provide the password hashed. Furthermore it is not possible to provide an encrypted password (string) without former decryption. See user module – Manage user accounts - Parameter password

If provided, set the user’s password to the provided encrypted hash (Linux) or plain text password (macOS).

Please take note about the fundamental difference between Hashing and Encryption algorithms.

+ 1
bq flag
sebelk
your feedback is useful. It's weird why in my case it shows that warning. Your note it's not the case mentiones in my playbook. The password is AFAIK hashed by the jinja filter. Because of that, I don't understand why Ansible complains.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.