I am trying to create an new user deployer on a vagrant virtual machine that runs ubuntu-16.04 Xenial. The user creation seems to work( the user names are added to /etc/passwd)
$ cat /etc/passwd | grep deployer
deployer1:x:1001:1001::/home/deployer1:/bin/bash
deployer2:x:1002:1003::/home/deployer2:
deployer1000:x:1003:1004::/home/deployer1000:/bin/bash
deployershell:x:1004:1005::/home/deployershell:/bin/bash
However I'm unable to login neither directly via ssh:
$ ssh deployer@local-box-2
deployer@local-box-2's password:
Permission denied, please try again.
deployer@local-box-2's password:
Permission denied, please try again.
nor via su deployer after ssh-ing with an existing user vagrant:
vagrant@local-box-2:~$ su deployer
Password:
su: Authentication failure
I've tried to create the user by using both the ad-hoc ansible commands:
$ ansible all -m user -a 'name=deployer group=admin update_password=always password=rawpass2 state=present shell=/bin/bash force=yes' -u vagrant -b -vvvv
local-box-2 | SUCCESS => {
"append": false,
"changed": true,
"comment": "",
"group": 1001,
"home": "/home/deployer",
"invocation": {
"module_args": {
"append": false,
"comment": null,
"createhome": true,
"expires": null,
"force": true,
"generate_ssh_key": null,
"group": "admin",
"groups": null,
"home": null,
"login_class": null,
"move_home": false,
"name": "deployer1",
"non_unique": false,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"remove": false,
"seuser": null,
"shell": "/bin/bash",
"skeleton": null,
"ssh_key_bits": 0,
"ssh_key_comment": "ansible-generated on local-box-2",
"ssh_key_file": null,
"ssh_key_passphrase": null,
"ssh_key_type": "rsa",
"state": "present",
"system": false,
"uid": null,
"update_password": "always"
},
"module_name": "user"
},
"move_home": false,
"name": "deployer",
"password": "NOT_LOGGING_PASSWORD",
"shell": "/bin/bash",
"state": "present",
"uid": 1001
}
and by running a playbook
$ ansible-playbook local-box.yml
- name: Add 'deployer' user
hosts: local-box-2
gather_facts: false
remote_user: vagrant
become: true
become_method: sudo
become_user: root
tasks:
- remote_user: vagrant
become: true
become_method: sudo
become_user: root
group:
name: admin
state: present
- remote_user: vagrant
become: true
become_method: sudo
become_user: root
user:
name: deployer
groups: admin
append: yes
shell: /bin/bash
password: rawpass2
state: present
Again, both create the users, but apparently none of them set the password.
What do you the cause might be?
Later Edit:
Apparently, if I pass the raw password to a hash filter then I will be able to login using the (unhashed) raw password. I would love an explaination on why that is the case.
password: "{{ 'rawpass2' | password_hash('sha512') }}"
Note: This answer gave me the idea to try using filters .
Ansible is not failing to set the password; the issue is in how passwords work on linux.
A linux user password is stored in a hashed form, the cleartext is not stored anywhere on the system. When you login the password you enter is hashed and compared with the stored value.
When you specify a password during the user creation process in ansible, it must be the already hashed form as noted in the doc links in your question.
If you look at /etc/shadow on the system where you created the user you will see something like this (the second field is the password value):
deployer:rawpass2:17165:0:99999:7:::which shows you that the string you supplied was used directly as the hashed password value. Of course when you try to login and specify
rawpass2, the login code hashes that and compares it to the stored value and they don't match. This is why you have to pass the already hashed value to ansible.