search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
820 stars 1.5k forks source link

htpasswd: change default crypt scheme, update documentation #5532

Open etienne-miralytik opened 1 year ago

etienne-miralytik commented 1 year ago

Summary

I'd like to suggest changing the default crypt scheme of the htpasswd module to something more secure then md5. Also the documentation regarding crypt schemes looks outdated to me, bcrypt seems to work with apache now.

Issue Type

Feature Idea

Component Name

htpasswd

Additional Information

My reason for this issue is a change by checkmk that deprecates the use of md5 hashes: https://checkmk.com/de/werk/14391

I was quite suprised that the htpasswd module still uses md5 hashes as default.

The current documentation also suggests that only "apr_md5_crypt, des_crypt, ldap_sha1, plaintext" work "with Apache or Nginx". That does seem outdated to me, since checkmk uses bcrypt and apache.

Here is the code that I now use and works fine:

- name: Ensure cmkadmin password
  community.general.htpasswd:
    path: "/omd/sites/{{ item.name }}/etc/htpasswd"
    name: cmkadmin
    password: "{{ item.cmkadmin_password }}"
    crypt_scheme: bcrypt
    owner: "{{ item.name }}"
    group: "{{ item.name }}"
    mode: "0640"
    state: present
  when: item.cmkadmin_password is defined
  loop: "{{ checkmk_server_sites }}"
  no_log: true

Code of Conduct

ansibullbot commented 1 year ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 1 year ago

cc @None click here for bot help