Ansible Playbooks, Deep Dive/Looping/11

[calvincantrell]

the ansible code password: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters,digits,hexdigits,punctuation') | password_hash('sha512') }}" creates the password for the users, but how would you give that to them? you dont know what it generated. it would be better to change this to a real world example of one where the user would be able to receive their password so they could login. but since you are using ssh keys, they dont have to worry, but what if ssh-keys were broken?

[spurin]

Thanks @calvincantrell

Great to hear from you. In this example, just to give some context and behind the scenes. When I was creating the lecture I found that some of the efforts later on didn't work specifically because the users in question didn't have a password set. Hence the approach to fill in the necessary blanks here.

You are absolutely right and in the real world, maybe you'd want to expand this into a mechanism where the generated password in stored in some kind of vault or management system for initial user correspondence or retrieval.

In the lecture I said and mentioned SSH keys as the go to as I was looking here to actually promote positive practices.

One of my first roles back at Demon Internet back in the era pre 2000, this was drilled into me and typically SSH keys were promoted as the primary means of authentication vs the use of passwords. We'd have our workstations with local access and then would use keys for systems external from that. It's for these reasons, why I've pushed ssh keys as the first class citizen here over password authentication.

True that, if ssh keys were broken it's going to be a bit more challenging. Typically in these scenarios troubleshooting ssh often requires the use of escalated privileges to run sshd on isolated ports with debug ramped up (like we do in one of the end videos demonstrating sshd troubleshooting).

Anyhow, with this one, maybe turning the issue into an opportunity. It could be quite a good exercise for you from a learning viewpoint to capture this information and then as you desire, write it to a file. Once you've got the information in a variable there's a world of opportunities for its use.

I'm always looking for opportunities to improve the course so please let me know what you think?

[calvincantrell]

You are right. I have since found a way to store into variable. I'm new to Ansible but Im learning and your course is by far the best! Basically it equates to generating password separately storing that in variable and then using that variable in python -c command to set password and you could optionally store the generated password in a vault like ansible vault and email the user their password too. I have not finished course, so did not get to the ansible vault part yet :) I only learned about it from another colleague.

[calvincantrell]

Sorry James , I also meant to say you can close the issue or mark it resovled.

[spurin]

Thanks @calvincantrell appreciate the discussion and understanding! Thanks for closing and I hope you continue to enjoy the course. The vault section is covered in great detail and we do some stuff that maybe your colleagues will like, in particular how to use multiple named vaults which isn't covered that well, in the docs