Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

htpasswd module does not update password when crypt_scheme changes #9267

Open
1 task done
fxedel opened this issue Dec 17, 2024 · 2 comments
Open
1 task done

htpasswd module does not update password when crypt_scheme changes #9267

fxedel opened this issue Dec 17, 2024 · 2 comments
Labels
bug This issue/PR relates to a bug module module plugins plugin (any type)

Comments

@fxedel
Copy link

fxedel commented Dec 17, 2024

Summary

We recently noticed that sites protected with basic auth were very slow to respond. After some research we pinpointed this to using a strong crypt_scheme (sha256_crypt) to hash passwords.

We had hoped to easily resolve this by changing crypt_scheme to apr_md5_crypt (the default). However, after changing this and doing an ansible run all htpasswd files remained unchanged.

Copied from ansible/ansible#66802, but the problem still persists.

Issue Type

Bug Report

Component Name

htpasswd

Ansible Version

$ ansible --version
ansible 2.9.4
  config file = ./ansible.cfg
  configured module search path = ['./.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = ~/.pyenv/versions/3.6.6/envs/ansible/lib/python3.6/site-packages/ansible
  executable location = ~/.pyenv/versions/ansible/bin/ansible
  python version = 3.6.6 (default, Aug 29 2018, 17:15:42) [GCC 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]

Community.general Version

$ ansible-galaxy collection list community.general
...

Configuration

ANSIBLE_PIPELINING(./ansible.cfg) = True
DEFAULT_FORKS(./ansible.cfg) = 5
DEFAULT_HOST_LIST(./ansible.cfg) = ['./provisioning/hosts']
DEFAULT_ROLES_PATH(./ansible.cfg) = ['./.ansible/roles']
DEFAULT_STDOUT_CALLBACK(./ansible.cfg) = debug

OS / Environment

On the server passlib==1.7.1

Steps to Reproduce

Start of with a task similar to this:

  name: Manage htpasswd file
  htpasswd:
    path: "{{ basic_auth_file }}"
    name: "{{ item.username }}"
    password: "{{ item.password }}"
    state: "{{ item.state|default('present') }}"
    crypt_scheme: sha256_crypt
  with_items: "{{ basic_auth_users }}"
  no_log: True

Run ansible.

Then change crypt_scheme to apr_md5_crypt

Run ansible again.

Expected Results

I expected the htpasswd files to be updated with the password hashed using the configured crypt_scheme.

Actual Results

The htpasswd files remain unchanged.

Ansible logs: [user] already present

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@ansibullbot
Copy link
Collaborator

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot
Copy link
Collaborator

cc @None
click here for bot help

@ansibullbot ansibullbot added bug This issue/PR relates to a bug module module plugins plugin (any type) labels Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue/PR relates to a bug module module plugins plugin (any type)
Projects
None yet
Development

No branches or pull requests

2 participants