Add filters to encrypt passwords "AIX-way"

[aklyachkin]

Is your feature request related to a problem? Please describe. Standard Ansible distribution includes filter to encrypt passwords - password_hash with some password hash algorithms like md5, blowfish, sha256 and sha512. All of them are Linux specific and don't work on AIX.

Describe the solution you'd like Include AIX specific password_hash filter with AIX encryption algorithms.

Something like:

- name: Create AIX user
  ibm.power_aix.user:
    name: user01
    password: "{{ password | ibm.power_aix.password_hash('sha512') }}"
    state: present

Describe alternatives you've considered As for now there is only one alternative. It is to use openssl command to generate AIX-compatible MD5 hashes:

- name: Create encrypted password
  ansible.builtin.command:
    cmd: "openssl passwd -aixmd5 {{ password }}"
  register: enc_password

- name: Set user's password
  ibm.power_aix.user:
    name: user01
    password: '{smd5}{{ enc_password.stdout_lines.0 }}'
    state: present

AIX-specific Blowfish, SHA256 and SHA512 are not implemented in OpenSSL and there are no tools available to encrypt passwords.

[nitismis]

Hi Andrey ! Good to listen from you. Thanks for the suggestion, we will prioritize this in the 3rd quarter of 2024. I will look into this.

[schamola]

Hi @aklyachkin ,

We confirmed with AIX security team: SHA256 and SHA512 are implemented in OpenSSL. Running 'openssl list -digest-algorithms' command, will list the supported algorithms.

[aklyachkin]

@schamola

this is the output from AIX 7.3 TL2 SP2 with OpenSSL 3.0.10.1002:

# openssl list -digest-algorithms
Legacy:
  RSA-MD4 => MD4
  RSA-MD5 => MD5
  RSA-MDC2 => MDC2
  RSA-RIPEMD160 => RIPEMD160
  RSA-SHA1 => SHA1
  RSA-SHA1-2 => RSA-SHA1
  RSA-SHA224 => SHA224
  RSA-SHA256 => SHA256
  RSA-SHA3-224 => SHA3-224
  RSA-SHA3-256 => SHA3-256
  RSA-SHA3-384 => SHA3-384
  RSA-SHA3-512 => SHA3-512
  RSA-SHA384 => SHA384
  RSA-SHA512 => SHA512
  RSA-SHA512/224 => SHA512-224
  RSA-SHA512/256 => SHA512-256
  RSA-SM3 => SM3
  BLAKE2b512
  BLAKE2s256
  id-rsassa-pkcs1-v1_5-with-sha3-224 => SHA3-224
  id-rsassa-pkcs1-v1_5-with-sha3-256 => SHA3-256
  id-rsassa-pkcs1-v1_5-with-sha3-384 => SHA3-384
  id-rsassa-pkcs1-v1_5-with-sha3-512 => SHA3-512
  MD4
  md4WithRSAEncryption => MD4
  MD5
  MD5-SHA1
  md5WithRSAEncryption => MD5
  MDC2
  mdc2WithRSA => MDC2
  ripemd => RIPEMD160
  RIPEMD160
  ripemd160WithRSA => RIPEMD160
  rmd160 => RIPEMD160
  SHA1
  sha1WithRSAEncryption => SHA1
  SHA224
  sha224WithRSAEncryption => SHA224
  SHA256
  sha256WithRSAEncryption => SHA256
  SHA3-224
  SHA3-256
  SHA3-384
  SHA3-512
  SHA384
  sha384WithRSAEncryption => SHA384
  SHA512
  SHA512-224
  sha512-224WithRSAEncryption => SHA512-224
  SHA512-256
  sha512-256WithRSAEncryption => SHA512-256
  sha512WithRSAEncryption => SHA512
  SHAKE128
  SHAKE256
  SM3
  sm3WithRSAEncryption => SM3
  ssl3-md5 => MD5
  ssl3-sha1 => SHA1
  whirlpool
Provided:
  { 1.3.6.1.4.1.1722.12.2.2.8, BLAKE2S-256, BLAKE2s256 } @ default
  { 1.2.156.10197.1.401, SM3 } @ default
  { 2.16.840.1.101.3.4.2.8, SHA3-256 } @ default
  { 2.16.840.1.101.3.4.2.7, SHA3-224 } @ default
  { 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ default
  { 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ default
  { 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ default
  { 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ default
  { 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ default
  { 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ default
  { 2.16.840.1.101.3.4.2.10, SHA3-512 } @ default
  { 2.16.840.1.101.3.4.2.9, SHA3-384 } @ default
  NULL @ default
  { 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ default
  MD5-SHA1 @ default
  { 1.3.36.3.2.1, RIPEMD, RIPEMD-160, RIPEMD160, RMD160 } @ default
  { 1.2.840.113549.2.5, MD5, SSL3-MD5 } @ default
  { 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ default
  { 1.3.6.1.4.1.1722.12.2.1.16, BLAKE2B-512, BLAKE2b512 } @ default
  { 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @ default
  { KECCAK-KMAC-128, KECCAK-KMAC128 } @ default
  { KECCAK-KMAC-256, KECCAK-KMAC256 } @ default

• Which algorithms are compatible with AIX password encryption algorithms?
• Can you please provide an example how to do it?

[schamola]

@aklyachkin

SHA256 and SHA512 are supported, blowfish is not (being a weak cipher)

These commands can be used : For SHA256 - openssl passwd -5 {{ password }} For SHA512 - openssl passwd -6 {{ password }}

You can see this documentation for more information : https://www.openssl.org/docs/man3.0/man1/openssl-passwd.html

[aklyachkin]

@schamola

Then I must repeat one more time - these algorithms are not AIX-compatible - see my first message.

# openssl passwd -5 abc123
$5$lwYpVAaZesAfXwVx$7oletUGySVEHE2N9VTeh2xA66pQWpmAt6RwSeZtUpcA
# grep -p test /etc/security/passwd
test:
        password = {ssha256}$5$lwYpVAaZesAfXwVx$7oletUGySVEHE2N9VTeh2xA66pQWpmAt6RwSeZtUpcA
# tail -2 /var/log/auth.log
Jul 22 11:41:47 server auth|security:info syslog: ssh: failed login attempt for test from X.X.X.X

[schamola]

@aklyachkin In order to make them AIX compatible, the below AIX Web Download Pack needs to be downloaded and installed.. Post this, the steps followed above will work: https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=pwmod

I've tried it on my system and It's working:

On terminal 1:

Before changing the password, contents of /etc/security/passwd file:

test_user1: password = $5$MdvJluA05ToECSHB$dXZNKb9VrtA.qVtvYfPJKU6Fd1ogAWcF5ThcAKp3lO2 lastupdate = 1721719479

# openssl passwd -5 xyz123 $5$9jQYtNZRVlCdvFpU$Lrs2qUVPjNlpcGKIUJP6gqPMT58drB/uRpFodegpmM/

Post updating the password file:

# cat passwd | grep -p test_user1 test_user1: password = $5$9jQYtNZRVlCdvFpU$Lrs2qUVPjNlpcGKIUJP6gqPMT58drB/uRpFodegpmM/ lastupdate = 1721719479

On terminal 2:

ssh test_user1@------------------- test_user1@----------------------s password: .. .. ..

$ ifconfig usage: ifconfig -a [ -d ] [ -u ] [ af ] ifconfig -l [ -d ] [ -u ] ifconfig interface [ af [ address [ dest_addr ] ] [ netmask mask ] [ broadcast addr ] [ alias ] [ delete ] ] [ up ] [ down ] [ detach ] [ af first[alias] address [ ... ] ] [ site6 site_number ] [ metric n ] [ mtu n ] [ arp | -arp ] [ link0 | -link0 ] [ link1 | -link1 ] [ link2 | -link2 ] [ tcp_low_rto n | -tcp_low_rto ] [ inet6 scope n zone n ] ifconfig tap_interface [ create | destroy ] $

` I'm able to log in and get to the prompt

[schamola]

@aklyachkin

We tested using Ansible's builtin password_hash filter on our environment after downloading and installing the Web download pack, and it is working fine for us.

The mentioned package contains AIX Loadable Password Algorithm (LPA), which allows the system to recognise SHA-512 and SHA-256 passwords generated using the Linux-style hashing method.

Can you please verify if this is working as expected in your Ansible setup ?

Tasks and outputs from our environment

Task:

- name: Create AIX user
      ibm.power_aix.user:
        name: test_user1
        password: "{{ password | password_hash('sha512') }}"
        state: present

Ansible's output:

changed: [root@-----------------------] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "attributes": null,
            "change_passwd_on_login": false,
            "load_module": "files",
            "name": "test_user1",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "remove_homedir": true,
            "state": "present"
        }
    },
    "msg": "Username is created SUCCESSFULLY: test_user1\nPassword is set successfully for the user: test_user1"
}

Attempting to log into the system with the provided password:

schamola@mymachine % ssh test_user1@---------------------
test_user1@---------------------'s password: 
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 7.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
$ what /proc/version
/proc/version:
         _kdb_buildinfo unix_64 Apr 25 2023 10:32:22 2317A_73D
$ 

[nitismis]

@aklyachkin, a gentle reminder to verify the aforementioned process in your environment. It seems that it is a known issue and security team has already provided the fix.

[aklyachkin]

@nitismis sorry for the delay with the answer. I can accept it as a workaround. Sorry I didn't test it before and didn't write about it, because it is used by none of the customers I know. I accept that it works and thank you for the confirmation. Again - it is very good and usable workaround I forgot about.

Stiil I'd insist on using AIX original algorithms. AIX original algorithms are enabled by default in AIX 7.3 and delivered since AIX 5.3 TL9 afair. The Linux-compatible LPA module is delivered over AIX Webpack and is not part of the official distribution. IMNSHO it is not really purposeful to require that all customers who want to create users with Ansible must migrate to this module.

But it is your decision how to prioritise the feature and when to deliver it.

For those who'd find the issue with Google or interested on the workaround there is IBM Support's article about it: https://www.ibm.com/support/pages/aix-making-sha-256-and-sha-512-passwords-compatible-other-oss

[nitismis]

@aklyachkin, I get your point and yes it's a workaround. I will discuss this with team and update you.

[nitismis]

We have informed this to security team and they will come up with the solution in AIX base itself. Holding this enhancement for now from ansible perspective. However, if someone wants to use the LPA module they can write task in their playbook to download and install the module.

[doharvey]

We have informed this to security team and they will come up with the solution in AIX base itself.

We also need user password reset to work with AIX 7.3 native hashing. you cannot ask us to implement AIX Loadable Password Algorithm (LPA) package on thousand of servers

[nitismis]

@doharvey ... I agree yeah we know it's a workaround but security team will come up with a solution.

[doharvey]

@doharvey ... I agree yeah we know it's a workaround but security team will come up with a solution.

If you change these lines to remove the -e switch, you can provide a clear text password, chpasswd will encrypt it.

https://github.com/IBM/ansible-power-aix/blob/45fe7976974150a3b3e760d29e3173e5bd342cd0/plugins/modules/user.py#L429-L432

[schamola]

Hi @aklyachkin @doharvey

AIX-Security team is checking how feasible it is to ship the LPA module with AIX itself.

you cannot ask us to implement AIX Loadable Password Algorithm (LPA) package on thousand of servers

From Ansible side, we can add the code for downloading and installing the LPA module from the user module itself, In that case, the process of implementing the LPA module on n number of systems will get automated.

Would this solution work for you guys ??