I have a variable with ansible_ssh_user and ansible_ssh_pass in my playbook global variable. I tried hashing my password with various method but I still couldn't ssh to my remote VMs. I have tried ansible_user and ansible_pass but still no luck. The following are methods I used and it all failed. I'm not sure what I am missing and hopefully some experts could help. When I use clear password, it works, but not hash. Here are the methods I've tried but still unsuccessful:-
1. mkpasswd --method=SHA-512
2. python -c "from passlib.hash import sha512_crypt;
print sha512_crypt.encrypt('<password>')"
3. # python
>>> import crypt
>>> crypt.crypt('<PASSWORD>', '$6$salt$')
4. cat /etc/shadow | grep <user>
Try to get the encrypted password but still not working
I have confirm my VM is using ENCRYPTED_METHOD SHA512. Nothing is working, appreciate if someone could help
I tried hashing my password with various method but I still couldn't ssh to my remote VMs
And for a good reason — to connect to a remote machine with an SSH protocol with password authentication you must provide a password, not a password hash.
In password authentication users provide passwords and systems process them. As one of security measures, systems store password hashes instead of passwords, so that in case of a breach, the passwords themselves do not get compromised.
If for some reason a system would allow authenticating users using a hash rather then password, it would be a huge security flaw (equal to storing passwords in clear).
If you really need to use password authentication, then Ansible Vault provides a way to protect the passwords. Otherwise use a public key authentication.
It seems like you want access your VMs and do something using Ansible.
Best practice to use Ansible, is to first setup a public-private key pair.
https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
Check whether SSH using key-pair is working fine. If it is, you can go ahead.
Now suppose if you want to access a host having IP 10.192.34.74. Add the following line to your inventory file:
10.192.34.72 ansible_ssh_private_key_file=/path/to/private/key/file
Now it should work.
Related
I want to make a script that asks the user for username and password and uses these for a few things at once, including connecting to OpenVPN without needing to either
store the password on the disk
ask the user for the data many times over
for example you can run net use with user and password to mount shares, however openVPN seemingly only has an option to pass a file with username and password.
On Linux there seemingly are solutions like this, however I don't seem to find anything similar for windows yet.
Is there a solution?
I chose credential type as 'Machine'.
What are the required parameters for the Username and Password fields to set up a bare-minimum credential.
Upon trying multiple times, I get :
Enter passphrase for /tmp/awx_1977135_t5pmrI/credential_4343:
with no option to input anything.
You just need to create Username and Password. You can also provide the privilege escalation method(for eg: sudo).
Make sure the password is in encrypted format.It is mentioned in the known issues
If your Tower server has a version of OpenSSH that predates 5.7, jobs will fail when launched jobs with ECDSA credentials.
If the key is unencrypted, your job will fail with a message similar to:
Enter passphrase for /tmp/ansible_tower_RcQweY/tmph9Jote:
https://docs.ansible.com/ansible-tower/3.0/html/release-notes/known_issues.html
You can also try to delete the one which you created and create from scratch.
I use console2 in combination with git bash in order to interact with my local git repositories and by extension several github and bitbucket repositories also.
I use an ssh key pair to authenticate myself to these services, howevermy ssh key pair has an associated password.
This morning I found that I was no longer required to enter this password n my laptop in order to complete the authentication process.
I did some testing and it seems that the same key present on my desktop machine still requires me to enter my password.
So my question is.... why am I no longer required to enter my password on my laptop in order to authenticate with these servers?
Sounds like you have ssh-agent (sshagent.exe) running.
It is a small utility which allows you to enter your key's passphrase once and it then holds it "unlocked" for further use without you needing to re-enter the passphrase each time. Killing it will cause the original behaviour.
ssh-agent comes along with ssh in a standard msysgit installation. I'm not sure if something's changed that now means it's used by default or not though. Another explanation as to why it's running might be if you've installed posh-git and ran a Powershell session. By default (I believe - it's been a while), it'll run at the start of the session and ask for your key's passphrase. I use it every single day with this configuration as my passphrase is quite long... :-)
Something to do with having git-credential-winstore installed on your laptop?
On a host machine, I have sth like:
export SOME_USER=foo
export SOME_PASSWORD=password
I want to turn some of the host machine's environment variables into attributes in an attributes/default.rb:
user = ENV["SOME_USER"]
password = ENV["SOME_PASSWORD"]
node.default["some"]["url"] = "http://#{user}:#{password} ..."
But, ENV here is the guest os's ENV. Can I access my host's environment in an attributes file?
More broadly, what is the preferred way to define a user/password in chef without checking passwords in anywhere?
The best way to do this is with encrypted databags.
Basically, you store the values on the chef server, encrypted with a key. You give this key to the nodes that need the values, and they can download and decrypt the values, getting the passwords. This not only prevents checking in plain text passwords, but ensures the passwords are encrypted on the wire as well.
Read more about it: http://wiki.opscode.com/display/chef/Encrypted+Data+Bags
Maybe not the best worded question, but hopefully it's a straightforward problem.
The scenario is SSHing from a personal account on box A to a generic account on box B. The script running on box B needs to capture the personal account name for logging purposes. Is there any way of capturing this, either via SSH itself or some information captured by the shell? We are using ssh2 (Reflections), and KornShell (ksh) on Solaris.
If you have full control of the client machine, you can deploy identd to get the username.
Full procedure to get name from script:
Walk up process tree, find sshd
Walk netstat -p to find the remote IP and port.
Connect to client on port 113 and ask.
You may have to disable privilege separation for this to work as-is; however it should be trivial to modify to work w/o it.
You can't log the remote username reliably
You can log the IP of the connection (see the SSH_CONNECTION variable)
You could have a standard where they use an alias for ssh that logs the remote username as part of the login process, or where they store their username in a .ssh/environment file (but allowing environments to be set may require ssh/sshd config changes).
alias sshblah='ssh blah "REMOTEUSER=$USER; bash'
(Except that doesn't work, and I haven't tried to figure out why - and it would be different if you use tcsh, etc).
You can use environment passing in this manner, and select which variables you allow to be set. You'd have to get the users to set some alternate to $USER, like $REMOTE_USER=$USER, and then allow $REMOTE_USER to pass through. And you're trusting they don't set it incorrectly, or forget to set it (you can handle that case with a little annoyance by modifying this mechanism).
Note that you almost have to trust the client connecting to tell you who the user is - you can make it hard/annoying to spoof the username, but unless you use per-user certificates instead of a generic login/password they all know, you can't verify who connected.