Closed ojtimsen closed 1 year ago
Hey, unfortunately it's not possible (in script server) to hide such a password based on input/output data.
You can try to work it around by creating a stdin parameter: https://github.com/bugy/script-server/wiki/Script-config#--pass_as And make this parameter https://github.com/bugy/script-server/wiki/Script-config#--secure
In this case the password will be read via a masked field and all its occurrences will be hidden in the output.
Thank you for pointing this method out!
Indeed, in the historical files the password is now replaced with *****, while in the script output it is still passed in plaintext, but this is expected I guess. Anyway it ensures historical data / logs do not contain any password details.
Thanks again!
Worked for me, so I closed this ticket! Thank you again for the great work with this project!
When playing a playbook remotely, which requests via for the --ask-vault-pass parameter the password of a protected vault file the following warning appears and the entered password is wirtten out in plain and especially logged in the history files as well in plaintext.
`------------------------------------------- Run general_modules_plybk.yml via localhost ssh ansible@localhost ansible-playbook /opt/ansible/general_modules_plybk.yml --extra-vars "target_group=test" -t allow_ssh,telnet --ask-vault-pass /usr/lib/python3.10/getpass.py:91: GetPassWarning: Can not control echo on the terminal. passwd = fallback_getpass(prompt, stream) Warning: Password input may be echoed. Vault password: myPasswordInPlainsight
PLAY [test] ****
TASK [Gathering Facts] ***** ok: [test1]
TASK [general-modules : == Install TELNET] ***** ok: [test1]
PLAY RECAP ***** test1 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
-------------------------------------------`
Usually when i.e. using commands like htpasswd in some scripts the output never shows the password neither is it logged in the history of the run itself. Maybe something to easily fix as from my perspective would love to get rid of plaintext password logging at this point too.
Thank you for considering and regards!