Closed vreitech closed 2 years ago
pavelpikta
commented
2 years ago Hi @vreitech
Hashing and encrypting strings and passwords
If passlib is not installed then the crypt module is used, only if crypt module cannot be used the error is triggered; looking at the crypt module might reveal what is the issue.
willhallonline
commented
2 years ago My thinking is that python3-passlib as a package could be added if a user requires, but that it is not distinctly part of Ansible but rather using an external function? If it were a core part of either the ansible-core or ansible packages then it would be installed, however, it doesn't seem to be so?
Or, am I missing something and this is a core part of the build?
vreitech
commented
2 years ago As it described at https://docs.ansible.com/ansible/latest/user_guide/playbooks_filters.html filter's page: _Hash types available depend on the control system running Ansible, ‘hash’ depends on hashlib, passwordhash depends on passlib. The crypt is used as a fallback if passlib is not installed. Form this point python3-passlib doesn't looks like a mandatory core component. And at same time we are getting wrong BCrypt hash value without passlib (i. e. using crypt library).
willhallonline
commented
2 years ago So, are you suggesting that we leave it without, or is there a convincing argument that it should be included?
vreitech
commented
2 years ago Complicated.
Used google a bit to find some information about "ansible password_hash bcrypt". And all that i got was people either had error message about crypt.crypt not supports bcrypt algorithm or had some kinds of errors after passlib package/module has been installed. Btw didn't got any information about someone got correct bcrypt hash not using passlib, but didn't even tried to find info about it tbf.
At same time adding python3-passlib package "switches" password_hash Ansible module to using passlib which probably would broke people playbooks behavior (don't believe in that tbh). I suggest it should not be included into current images, but probably should be added into images which based on future Ansible versions. Or maybe it should be versions of images with passlib for each Linux distribution.
Another way to handle the problem is to add installation of passlib python module through ansible.builtin.pip module. I've tested it on your images, and beginning from 2.12 version it works on all Linux distributions.
Only one argument still for adding the package into the container: it fixes the issue without having to add something like apt-get -y update && apt-get -y install python3-passlib by user. Counter-arguments was above.
Personally for me the problem is solved, thanks for questions.
willhallonline
commented
2 years ago From what I understand, I will leave as is at the moment. But if needed in the future I might re-open it. Thanks for your explanations. 😸
I tried to use 'password_hash' module in my playbook, and I got misbehavior when using 'bcrypt' algorithm with the module.
Example playbook:
Actual behavior: Hash value is not meaningful.
Expected behavior: Meaningful hash value (something that starts from
$2a$10$).Suggested solution to the problem: It needs to be added installation of
python3-passlibpackage into Dockerfile. Adding this into docker/podman run command solves the problem:Environment: