Ansible Try Multiple Passwords for Same User - ansible

I need to login into 50 hosts and perform a specific task.
Each host has one of 2 passwords (ex: pass1 and pass2) for a specific user (ex: foo).
I do not know on which host "foo" is set with "pass1" and on which host "foo" is set with "pass2". I have both passwords in a vault file.
Using Ansible, how can I first make a task where I try to login as "foo" with "pass1", then if unsuccessful login with "pass2" and finally setting a fact with the correct vault value (depending on which password worked i.e. "foo" managed to login).
I then want to use that fact to perform additional tasks on that same host.

Related

Ansible aws_ec2 plugin how to set credentials for discovered hosts?

Need to launch ad-hook commands like "-m ping" on existing ec2 instances, but it requred key-pair.
How to set key-pair for boto, like "aws_access_key_id" stored in ~/.aws/credentials ?
Also, have a problem invertory:
i got "invertory" folder near Ansible, where stored both local hosts and aws_ec2.yml file. But ansible-invertory --list works only for aws_ec2.yml file...
You can declare appropriate credentials and other host-sensitive variable right in the inventory file.
I.e.:
[ec2fleet]
35.... ansible_ssh_user=ec2-user
15.... ansible_ssh_user=ubuntu
[ec2fleet:vars]
ansible_user=deployer
ansible_ssh_private_key_file=/home/deployer/.ssh/deployer.pem

Ansible using common user and pass to hosts

I've a hosts file with 4 host ip's and I'm always using "ansible_connection=ssh ansible_ssh_user=user ansible_ssh_pass=pass" besides host ip to verify the connection.
But, this is difficult to add these many times. Could someone please tell me where can I keep common these parameters and pass it to all my host ip's at a time?
Create file in directory all in directory group_vars with the content.
ansible_connection:ssh
ansible_ssh_user:user
ansible_ssh_pass:pass
It should work.

ansible expect module respond to password prompt

I have read the documentation related expect module on here
I'm trying to add a CentOS7 to 2012 AD Domain controller, here is my playbook,
- name: Attempt to join the server to AS
expect:
command: realm join --user=admin#mydomain.local mydomain.local
responses:
(?i)Password for admin#mydomain.local: abc123
Ansible playbook fails, saying the password is incorrect, is this the correct way of using expect?
Have you try to incapsulate the password in quotes like so?
(?i)Password for admin#mydomain.local: "abc123"

Chef: How to set a user's password from an encrypted data bag

I am using Chef with kitchen (1.5.0) and vagrant (1.8.1) to manage a user consistently with a new server. My user recipe looks like this:
include_recipe "users"
group 'sudo'
password_secret = Chef::EncryptedDataBagItem.load_secret(node['enterprise_sp']['secret_file'])
jays_password = Chef::EncryptedDataBagItem.load('user_secrets','jgodse', password_secret)['password']
shadow_password = `openssl passwd -1 -salt xyz #{jays_password}`.strip
user 'jgodse' do
action :create
group 'sudo'
system true
shell '/bin/bash'
home '/home/jgodse'
manage_home true
password shadow_password #added to /etc/shadow when chef runs
end
The unencrypted data bag was where I configured my password in the clear. I then encrypted the data bag with a knife command.
This works, but this seems like a really dirty way around the problem of setting my password. I had to do that because the password directive of the user block only takes the shadow password, and that can only be generated by shelling out to an openssl command.
Is there a cleaner way of getting the shadow password without shelling out to an openssl command which generates the password?
You should not be storing the password at all, just hash it beforehand and put the hash in the data bag in the first place. Also using encrypted data bags like this is scary-level unsafe, please take some time to familiarize yourself with the threat model of Chef's encryption tools, this ain't it.
At least pre-calculate the password hash and put that into the data bag.
See https://github.com/chef-cookbooks/users for inspiration.

How to verify multiple server's root password using bash script?

I've two text files one with list of server name's, another file with their root password (Unique password)
I have to check all server root password by logging to individual servers. but the issue is, by default ssh root login is disabled. Hence i have to login via my normal user(Test) and switch as root and try the root password which is mentioned in the text file.
is there any way i can get this automated ? highly appreciate if anyone can help me out.
Linux passwords are stored in /etc/shadow files.
They're just hashed plain-text, no magic.
Take a look at python's crypt.crypt() function.
# change 'root' password to 'secret' (demo only)
$ echo root:secret | chpasswd
Password for 'root' changed
# get 'root' hashed password
$ grep root /etc/shadow
root:$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0:16673:0:::::
# verify hashed password is correct
$ python -c 'import crypt; print crypt.crypt("secret", "$6$YvK0oNOm$") == "$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0"'
True
You can collect shadow files from all servers, and verify them locally.
WARNING: Shadow files are very sensitive.
This is a simple solution.
input.csv
192.168.1.1,secret,$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
192.168.1.2,pAssWd,$6$AbcdeFgh$1234fsXXXXXXXXXXXsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
192.168.1.3,123456,$6$efsjdsix$8787sdfsdsdfsd232sqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
check.py
import csv, crypt
for i, j, k in csv.reader(open('input.csv')):
if crypt.crypt(j, k) != k:
print i
result
$ python check.py
192.168.1.2
192.168.1.3

Resources