cisco.ios icon indicating copy to clipboard operation
cisco.ios copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

ios_user: update_password key failure with aggregate. + others

Open tin-ot opened this issue 2 years ago • 2 comments

SUMMARY

I noticed 3 different issues with this module:

  1. module breaks when the update_password is used in the aggregate dictionary.
  cisco.ios.ios_user:
    aggregate:
      - name: "{{ username1 }}"
        configured_password: "{{ clear passwd1 }}" 
        update_password: 'always'
      - name: "{{ username2 }}"
        configured_password: "{{ clear passwd2 }}" 
        update_password: 'always'

(this breaks)

works as expected is defined like this :

  cisco.ios.ios_user:
    aggregate:
      - name: "{{ username1 }}"
        configured_password: "{{ clear passwd1 }}" 
      - name: "{{ username2 }}"
        configured_password: "{{ clear passwd2 }}" 
      update_password: 'always'

(this works)

  1. some hashes are not blurred in the output with no log

expected result : "username dummy secret ******** " actual result: "username dummy secret ******** $$human_readable_hash********",

This behaviour depends on the hash. Some are blurred others are clear.

  1. ( more of an enhancement ) There is no choice regarding encryption. The only algorithm available through the module is md5 which considered broken. The only recommanded encryption algorithm, as of today, is scrypt. Even if it is possible to configure the device with a hashed password ... it will set the same hash on all configuration files which is not desirable neither.

Proposition: add a new key word in the module to choose the encryption algorithm with clear password as input. the command to be : username <username> privilege 15 algorithm-type scrypt secret <secret>

Work around:

Use the module "naked" with purge key set to true; Configure desired users and passwords with config module in another task.

ISSUE TYPE
  • Bug Report
COMPONENT NAME
ANSIBLE VERSION
github latestansible [core 2.12.2]
  config file = /remote/users/mcarrouee/.ansible.cfg
...
  python version = 3.8.8 (default, Aug 11 2021, 06:52:42) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
github latest
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS

module failure with aggregate

The full traceback is:
Traceback (most recent call last):
  File "~/.ansible/tmp/ansible-local-2972609kf089_dt/ansible-tmp-1649944005.6931295-2972638-226093719612968/AnsiballZ_ios_user.py", line 107, in <module>
    _ansiballz_main()
  File "~/.ansible/tmp/ansible-local-2972609kf089_dt/ansible-tmp-1649944005.6931295-2972638-226093719612968/AnsiballZ_ios_user.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "~/.ansible/tmp/ansible-local-2972609kf089_dt/ansible-tmp-1649944005.6931295-2972638-226093719612968/AnsiballZ_ios_user.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.cisco.ios.plugins.modules.ios_user', init_globals=dict(_module_fqn='ansible_collections.cisco.ios.plugins.modules.ios_user', _modlib_path=modlib_path),
  File "/usr/lib64/python3.8/runpy.py", line 207, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.8/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib64/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_cisco.ios.ios_user_payload_1zvvkg4k/ansible_cisco.ios.ios_user_payload.zip/ansible_collections/cisco/ios/plugins/modules/ios_user.py", line 621, in <module>
  File "/tmp/ansible_cisco.ios.ios_user_payload_1zvvkg4k/ansible_cisco.ios.ios_user_payload.zip/ansible_collections/cisco/ios/plugins/modules/ios_user.py", line 605, in main
  File "/tmp/ansible_cisco.ios.ios_user_payload_1zvvkg4k/ansible_cisco.ios.ios_user_payload.zip/ansible_collections/cisco/ios/plugins/modules/ios_user.py", line 550, in update_objects
KeyError: 'update_password'

tin-ot avatar Apr 14 '22 14:04 tin-ot

@tin-ot

  1. This is how the update password attribute should be used according to the documentation.
  2. Could you provide me a playbook that could reproduce the case where the hashes are not blured

roverflow avatar Oct 12 '23 10:10 roverflow

Hi @roverflow - I am seeing the same issues as described by tin-ot.

  1. ios_user documentation indicates that update_password can be used as part of an aggregate dictionary
  2. Playbook task that fails is as follows:
   - name: "Add user"
      cisco.ios.ios_user:
        aggregate:
          - name: "{{ new_username }}"
            hashed_password: 
              type: 9
              value: "{{ new_user_secret }}"
            privilege: 15
            state: present
            update_password: on_create

Task output:

fatal: [device-hostname]: FAILED! => changed=false
  module_stderr: '''update_password'''
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error

I also see the same issue with hashes not being hidden in output, and agree with tin-ot's enhancement suggestions.

This is with ansible 2.15 and cisco.ios 5.1.0.

noziwatele avatar Oct 20 '23 00:10 noziwatele