New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
two random password lookups in same task return same value #34144
Comments
Files identified in the description: If these files are inaccurate, please update the |
The issue here seems to be template caching. If I modify That means you can work around the problem like this:
That gives you two templates that are functionally identical but have different content, so caching doesn't bite you. |
This workaround is troublesome if you need to generate more than 2 passwords though. For example, if you're generating WordPress hash values (https://codex.wordpress.org/Editing_wp-config.php#Security_Keys), you need to generate 8 different values: changing a template 8 times is something you'd want to avoid. Bugfix would be really helpful. |
Anyway, thanks for the finding @larsks! |
I had two password lookups in a row that I was leaving with a default
|
This issue is still happening for - name: Generate random password for WordPress salts
set_fact:
wp_auth_key: "{{ lookup('password', '/dev/null length=64 chars=ascii_letters,digits,punctuation') }}"
wp_secure_auth_key: "{{ lookup('password', '/dev/null length=64 chars=ascii_letters,digits,punctuation') }}"
wp_logged_in_key: "{{ lookup('password', '/dev/null length=64 chars=ascii_letters,digits,punctuation') }}"
wp_nonce_key: "{{ lookup('password', '/dev/null length=64 chars=ascii_letters,digits,punctuation') }}"
wp_auth_salt: "{{ lookup('password', '/dev/null length=64 chars=ascii_letters,digits,punctuation') }}"
wp_secure_auth_salt: "{{ lookup('password', '/dev/null length=64 chars=ascii_letters,digits,punctuation') }}"
wp_logged_in_salt: "{{ lookup('password', '/dev/null length=64 chars=ascii_letters,digits,punctuation') }}"
wp_nonce_salt: "{{ lookup('password', '/dev/null length=64 chars=ascii_letters,digits,punctuation') }}"
when: scalingo_existing_wp_salt | length == 0 outputs
I tried also: - name: Generate random password for WordPress salts
set_fact:
wp_auth_key: "{{ random_password }}"
wp_secure_auth_key: "{{ random_password }}"
wp_logged_in_key: "{{ random_password }}"
wp_nonce_key: "{{ random_password }}"
wp_auth_salt: "{{ random_password }}"
wp_secure_auth_salt: "{{ random_password }}"
wp_logged_in_salt: "{{ random_password }}"
wp_nonce_salt: "{{ random_password }}"
vars:
random_password: "{{ lookup('password', '/dev/null length=64 chars=ascii_letters,digits,punctuation') }}"
when: scalingo_existing_wp_salt | length > 0 which gives the same password too. |
Happens here as well (version 2.8.0). |
And still with version 2.8.2. |
issue still persist in ansible 2.8.2.post0 |
Also, generation of the same password happens if you specify a different character category, giving a password different than specified.
Gives:
|
Just fell into this trap with Ansible |
ansible/ansible#34144 - Updated to Ansible 2.9.1
@alanbchristie you can add a blank string with
|
Thanks and it's good you've confirmed it works even with more than two instances. I create about 12 passwords in the same file (not in a loop). To be honest it's a mess which also requires you to leave comments in the file to explain to others who read it why you're doing such an odd thing. Now I know there's template caching going on, surely, the ultimate solution lies in the engine?
But a neat vulnerability that can be exploited! ... If you know something's been deployed using Ansible and you know one password then your best approach for an attack is to try the password you know in other apps that have been deployed at the same time. I was deploying 3 independent applications and all 12 passwords ended up being the same! Luckily I spotted it before I rolled it out. |
Same problem... and adding ---
- name: "Debug passwords"
debug:
msg:
- "{{lookup('password','/dev/null chars=ascii_letters,digits length=32') + '' }}"
- "{{lookup('password','/dev/null chars=ascii_letters,digits length=32') + '' }}" yeilds:
|
Hi @patrick-fls, if you do ---
- name: "Debug passwords"
debug:
msg:
- "{{lookup('password','/dev/null chars=ascii_letters,digits length=32') }}"
- "{{lookup('password','/dev/null chars=ascii_letters,digits length=32') + '' }}" It's about fooling the template cache algorithm. If the two lines look the same a re-evaluation won't be done. But (for me) this is just a work-around that woks in only a simple case - i.e. with two passwords because, for the same I really think the caching algorithm is defeating its purpose here and manifests itself as a bug. Personally I think it needs to be fixed or template caching disabled by default as it's too difficult to realise that you've been caught by this bug without inspecting the generated variables. |
You're right, it only works for TWO passwords. I naively thoughts that doing a concatenation would defeat the cache. I even tried to use I'm in a situation where I need several randomly generated 64 byte keys, i can't play with the length. I will have to do it manually on the host instead. Boggles my mind that this is even problem on such a huge system. |
Agreed - it's one heck of a flaw! ... and no-one is assigned to this so don't expect a resolution anytime soon! |
This is what I ended up with. ---
- set_fact:
deployment_config_template: "{{ deployment_config_template | combine({item: lookup('password', '/dev/null length=42')}) }}"
loop:
- sql_password
- secret_key
- otherdb_password
- door_password
- secret_passphrase
- ymmv_passphrase |
Files identified in the description: If these files are inaccurate, please update the |
ISSUE TYPE
COMPONENT NAME
lookups
ANSIBLE VERSION
CONFIGURATION
no custom config
OS / ENVIRONMENT
Linux
SUMMARY
two consecutive facts from password lookup with same length get identical values.
separate tasks or different length result in different values, as expected.
STEPS TO REPRODUCE
EXPECTED RESULTS
two different values
ACTUAL RESULTS
two identical values
changing length for one of these, or using separate tasks, gives different values.
http://docs.ansible.com/ansible/latest/playbooks_lookups.html#the-password-lookup says "A special case is using /dev/null as a path. The password lookup will generate a new random password each time", thus the current behaviour is at least confusing and unexpected.
from irc :
The text was updated successfully, but these errors were encountered: