bugy
commented
1 year ago Hey, unfortunately it's not possible (in script server) to hide such a password based on input/output data.
You can try to work it around by creating a stdin parameter: https://github.com/bugy/script-server/wiki/Script-config#--pass_as And make this parameter https://github.com/bugy/script-server/wiki/Script-config#--secure
In this case the password will be read via a masked field and all its occurrences will be hidden in the output.
ojtimsen
When playing a playbook remotely, which requests via for the --ask-vault-pass parameter the password of a protected vault file the following warning appears and the entered password is wirtten out in plain and especially logged in the history files as well in plaintext.
`------------------------------------------- Run general_modules_plybk.yml via localhost ssh ansible@localhost ansible-playbook /opt/ansible/general_modules_plybk.yml --extra-vars "target_group=test" -t allow_ssh,telnet --ask-vault-pass /usr/lib/python3.10/getpass.py:91: GetPassWarning: Can not control echo on the terminal. passwd = fallback_getpass(prompt, stream) Warning: Password input may be echoed. Vault password: myPasswordInPlainsight
PLAY [test] ****
TASK [Gathering Facts] ***** ok: [test1]
TASK [general-modules : == Install TELNET] ***** ok: [test1]
PLAY RECAP ***** test1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
-------------------------------------------`
Usually when i.e. using commands like htpasswd in some scripts the output never shows the password neither is it logged in the history of the run itself. Maybe something to easily fix as from my perspective would love to get rid of plaintext password logging at this point too.
Thank you for considering and regards!