From 0d7f35ab169e9e1c252279a6eaed010742c270f7 Mon Sep 17 00:00:00 2001
From: Carl Karsten <carl@personnelware.com>
Date: Wed, 12 Apr 2017 09:52:44 -0500
Subject: [PATCH] Use crypted password rather than plain text

Gives the password some (very poor) degree of security, while in a
public git repo.
---
 inventory/group_vars/all                   | 6 ++----
 roles/tftp-server/defaults/main.yml        | 3 +--
 roles/tftp-server/templates/preseed.cfg.j2 | 6 ++++--
 roles/users/defaults/main.yml              | 3 +--
 roles/users/tasks/main.yml                 | 5 ++---
 5 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index 6c02e43..73f7590 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -1,6 +1,4 @@
 ---
 user_name: videoteam
-# The video user's password. It can be set during install, by preseed, so you
-# don't have to set it here
-#user_password: please_change_me
-#pw_salt: please_change_me
+# crypt(3)ed password. e.g. echo -e redPill | mkpasswd -s -m SHA-512
+user_password_crypted: $6$8HM7EZ2Uf73ekI$dtCsm0VMP68M0uR5Kbf/9MoNhuXmoiVgOkcq0miFn64EFWqG79z6spWb1SKegu7ft937bHHe5SA9wYErUr60G0
diff --git a/roles/tftp-server/defaults/main.yml b/roles/tftp-server/defaults/main.yml
index da88a9d..d4b48ed 100644
--- a/roles/tftp-server/defaults/main.yml
+++ b/roles/tftp-server/defaults/main.yml
@@ -10,5 +10,4 @@ apt_proxy: false
 #mirror: deb.debian.org
 
 user_name: videoteam
-user_password: null
-pw_salt: U1ESiTXUQE0tFh2r4LRl
+user_password_crypted: null
diff --git a/roles/tftp-server/templates/preseed.cfg.j2 b/roles/tftp-server/templates/preseed.cfg.j2
index b579bb3..bc60f8b 100644
--- a/roles/tftp-server/templates/preseed.cfg.j2
+++ b/roles/tftp-server/templates/preseed.cfg.j2
@@ -128,8 +128,10 @@ d-i passwd/make-user boolean true
 # To create a normal user account.
 d-i passwd/user-fullname string Video Team User
 d-i passwd/username string {{ user_name }}
-# or encrypted using an MD5 hash.
-d-i passwd/user-password-crypted password {{ user_password |password_hash('sha512', pw_salt) }}
+# or encrypted.
+{% if user_password_crypted %}
+d-i passwd/user-password-crypted password {{ user_password_crypted }}
+{% endif %}
 {% if ansible_distribution == 'Ubuntu' %}
 # Ubuntu offers encrypted home directories
 d-i user-setup/encrypt-home boolean false
diff --git a/roles/users/defaults/main.yml b/roles/users/defaults/main.yml
index 68ce94e..94512e1 100644
--- a/roles/users/defaults/main.yml
+++ b/roles/users/defaults/main.yml
@@ -1,8 +1,7 @@
 ---
 user_name: videoteam
 user_group: videoteam
-user_password: null
-pw_salt: XIc3E749RVFPAcAE
+user_password_crypted: null
 public_keys_onsite:
 - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDIV8pOIHMN/1feXMgnmmHg2cEVLJQ1bu2F8AjpzWdoRJAtS+onMUN2y1jbfT59BSxQ1zStIbRnYyYJy3ylpEbsfTngYU7v9p0VFAcjRGfhjHFr0ImC/rkjlTnkNYnUc3D3hIIXlgk0OxqL/X7eGPruPVpznJivypDr2aI9Qzf6A0CXlXjzflzhSbwa1HkoY+XwPXC0SJogmxfn4e2NuNFRx1mW6xwa7cDibop0eeiql1rasN8f0m4ErJdKxed79Bt7a9+Kz01yDdDjNEbQeSSf0JpUPB4/UeSViWePbS83vYjXLG3EOjAIdHlirN5arhXoO0YcoQHnRyc+gcjSkm5d stefanor smartcard
 public_keys_offsite:
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
index 7a04871..7c2b763 100644
--- a/roles/users/tasks/main.yml
+++ b/roles/users/tasks/main.yml
@@ -3,9 +3,8 @@
   user:
     name: "{{ user_name }}"
     groups: audio,plugdev,sudo,video
-    password: "{{ user_password |password_hash('sha512', pw_salt) }}"
-    shell: /bin/bash
-  when: user_password
+    password: "{{ user_password_crypted }}"
+  when: user_password_crypted
 
 - name: install sudo
   apt: