htpasswd: add "exclusive" parameter #5975
Comments
|
Files identified in the description: If these files are incorrect, please update the |
|
cc @None |
ansibullbot
added
feature
prometheus/nginx/MetricsPort integration: with this change we move from a randomly generated username to a static username to workaround this issue: ansible-collections/community.general#5975 After upstream implemented the exclusive parameter we will revert this commit and move to random usernames again. If you used relayor's prometheus integration and htpasswd file generation it is recommended to delete the htpasswd by default under /etc/nginx/tor_metricsport_htpasswd and run the playbook again to ensure that only one entry is in that file
|
Hi @nusenu , thanks for submitting your feature request. On a first glance, it looks like your assumption is not true. The code that effectively changes the password is in:
It uses
So, from the documentation, it looks like the password is not added as you assumed but rather updated. The module has no tests, and I have not hand-crafted anything to verify at this point. Has that problem actually happened to you? Thanks in advance needs_info |
ansibullbot
added
the
needs_info
|
Hi @russoz
thanks for looking into this.
I think my feature request got slightly misunderstood.
The problem is not the password.
The **username** was generated randomly in my case (also the password but that is not relevant here).
So if I rotate the username a second user gets added, but my goal is to
manage the resulting file completely (all lines) like the "exclusive" parameter for authorized_keys.
Has that problem actually happened to you? Thanks in advance
Yes, and here is how I worked around it by using a static username instead:
nusenu/ansible-relayor@7c7b4c4
Does this clarify the issue or should I try to elaborate?
kind regards,
nusenu
|
ansibullbot
removed
the
needs_info
|
OK, I think I got it. IMO the option name could be improved. Basically we want to clear the file of entries before running. I reckon that is somewhat easy to implement - if the flag is on, it would be similar to the "create new file" case. |
russoz
changed the title
Summary
The htpasswd module does not provide the
exclusiveparameter like the authorized_keys module, this is a problem when usernames are generated randomly using a lookup (example)because it would result in users getting added instead of getting replaced (old account still valid).
This can result in a security risk when people try to rotate their passwords by removing the local lookup folders, because
it will result in a new account being added to htpasswd instead of replacing it.
I'm proposing to add the
exclusiveparameter to the htpasswd module with the same semantics as in the authorized_keys module.Issue Type
Feature Idea
Component Name
htpasswd
Additional Information
Code of Conduct
The text was updated successfully, but these errors were encountered: