Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ansible creates locked user on Alpine #68676

Open
FloMiau opened this issue Apr 3, 2020 · 9 comments · May be fixed by #84642
Open

Ansible creates locked user on Alpine #68676

FloMiau opened this issue Apr 3, 2020 · 9 comments · May be fixed by #84642
Labels
affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. collection Related to Ansible Collections work has_pr This issue has an associated PR. module This issue/PR relates to a module. needs_verified This issue needs to be verified/reproduced by maintainer P3 Priority 3 - Approved, No Time Limitation python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category

Comments

@FloMiau
Copy link
Contributor

FloMiau commented Apr 3, 2020

SUMMARY

I'm creating an user via ansible. This works on Debian based system like Ubuntu 16, 18, Raspbian, Debian.

The same tasks don't work on Alpine Linux. The user is created but no login is possible. Die user is locked.

This issue is maybe related to #61911 and #66679.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

lib/ansible/modules/system/user.py

ANSIBLE VERSION
ansible 2.9.6
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/florian/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.9 (default, Nov  7 2019, 10:44:02) [GCC 8.3.0]

I had the same problem on 2.9.5

CONFIGURATION
ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
ANSIBLE_SSH_ARGS(/etc/ansible/ansible.cfg) = -o ControlMaster=auto -o ControlPersist=5m
DEFAULT_CALLBACK_WHITELIST(/etc/ansible/ansible.cfg) = ['timer', 'profile_tasks', 'profile_roles']
DEFAULT_FORKS(/etc/ansible/ansible.cfg) = 20
DEFAULT_STRATEGY_PLUGIN_PATH(/etc/ansible/ansible.cfg) = ['/usr/local/lib/python3.6/dist-packages/ansible_mitogen/plugins/strategy\nstrategy = mitogen_linear']
OS / ENVIRONMENT

Target:
Alpine 3.11.5

STEPS TO REPRODUCE
- name: "create user"
  user:
    name: testuser
    shell: /bin/ash
  become: true

- name: "Set up authorized key"
  authorized_key:
    user: testuser
    state: present
    key: '{{ item }}'
  with_file:
    - ssh.publickey
  become: true
EXPECTED RESULTS

User is created and it is possible to login.

ACTUAL RESULTS

User is created and it is not possible to login.
@ansibot
Copy link
Contributor

ansibot commented Apr 3, 2020

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot ansibot added affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. module This issue/PR relates to a module. needs_triage Needs a first human triage before being processed. python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category labels Apr 3, 2020
@saito-hideki
Copy link
Member

saito-hideki commented Apr 20, 2020
edited
Loading

Hi,
As far as I know, if you want to create a disabled user account(but not locked) on Alpine, you need to set '*' to the password value as follows:

    - user:
        name: testuser
        shell: /bin/ash
        password: '*'
      become: true

It worked on my end(Alpine 3.11.5). I hope this helps.

@bcoca
Copy link
Member

bcoca commented Apr 21, 2020

it does not need to be *, any value you cannot arrive to as a hash would work (personally I use L). But that only disables password logins, it will not block keys or other alternative auth methods.

@FloMiau
Copy link
Contributor Author

FloMiau commented Apr 21, 2020

I wanted to create an user which is not locked.
Only login via ssh key is needed.

@bcoca
Copy link
Member

bcoca commented Apr 21, 2020

@FloMiau understood, was just responding to the comments, i do suspect this is an issue with the busybox handling in the user module.

@bcoca bcoca added needs_verified This issue needs to be verified/reproduced by maintainer P3 Priority 3 - Approved, No Time Limitation and removed needs_triage Needs a first human triage before being processed. labels Apr 23, 2020
@ansibot ansibot added collection Related to Ansible Collections work collection:nttmcp.mcp needs_collection_redirect https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md support:community This issue/PR relates to code supported by the Ansible community. and removed support:core This issue/PR relates to code supported by the Ansible Engineering Team. labels May 15, 2020
@ansibot
Copy link
Contributor

ansibot commented May 23, 2020

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibot ansibot added support:core This issue/PR relates to code supported by the Ansible Engineering Team. and removed collection:nttmcp.mcp needs_collection_redirect https://github.com/ansible/ansibullbot/blob/master/docs/collection_migration.md support:community This issue/PR relates to code supported by the Ansible community. labels May 23, 2020
@relrod relrod self-assigned this Jul 26, 2020
relrod added a commit to relrod/ansible that referenced this issue Jul 26, 2020
@relrod
user: Unlock by default with no password, busybox
859726e 
Change:
- On busybox systems such as Alpine, user accounts which are created
  with no password are locked by default until their password is
  changed. For consistency with other platforms, if not given a
  password, manually unlock the account so that it is accessible by key
  access.

Test Plan:
- Local Alpine VM

Tickets:
- Fixes ansible#68676

Signed-off-by: Rick Elrod <rick@elrod.me>
@relrod relrod mentioned this issue Jul 26, 2020
Closed
@ansibot ansibot added the has_pr This issue has an associated PR. label Jan 23, 2021
@NHAS
Copy link

NHAS commented Mar 4, 2022

Can we get this merged, this seems rather important and has just stung me.

@relrod relrod removed their assignment Aug 22, 2022
@baroldgene
Copy link

I know this is an old thread but this just bit me as well.

Akasurde added a commit to Akasurde/ansible that referenced this issue Jan 30, 2025
@Akasurde
user - unlock user by default with no password, busybox
c5a5c13 
* When creating a user account with no password on busybox systems such as Alpine, the account is now unlocked after it is created, for consistency with other platforms
* Added helper method to write safely the contents to shadow file

Fixes: ansible#68676

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
@Akasurde Akasurde linked a pull request Jan 30, 2025 that will close this issue
Open
@Akasurde
Copy link
Member

resolved_by_pr #84642

Akasurde added a commit to Akasurde/ansible that referenced this issue Jan 30, 2025
@Akasurde
user - unlock user by default with no password, busybox
1b5ad5a 
* When creating a user account with no password on busybox systems such as Alpine, the account is now unlocked after it is created, for consistency with other platforms
* Added helper method to write safely the contents to shadow file

Fixes: ansible#68676

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects_2.9 This issue/PR affects Ansible v2.9 bug This issue/PR relates to a bug. collection Related to Ansible Collections work has_pr This issue has an associated PR. module This issue/PR relates to a module. needs_verified This issue needs to be verified/reproduced by maintainer P3 Priority 3 - Approved, No Time Limitation python3 support:core This issue/PR relates to code supported by the Ansible Engineering Team. system System category
Projects
None yet
Milestone
No milestone
8 participants
@relrod @Akasurde @bcoca @baroldgene @ansibot @NHAS @saito-hideki @FloMiau