From 9906daa83c2c915c0f2592986cdef91569263349 Mon Sep 17 00:00:00 2001 From: Toshio Kuratomi Date: Thu, 18 Oct 2018 12:16:36 -0700 Subject: [PATCH] Fix password lookup for FIPS Fixes #47297 --- changelogs/fragments/fix-password-lookup-on-fips.yaml | 5 +++++ lib/ansible/plugins/lookup/password.py | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 changelogs/fragments/fix-password-lookup-on-fips.yaml diff --git a/changelogs/fragments/fix-password-lookup-on-fips.yaml b/changelogs/fragments/fix-password-lookup-on-fips.yaml new file mode 100644 index 00000000000..69ade9f7395 --- /dev/null +++ b/changelogs/fragments/fix-password-lookup-on-fips.yaml @@ -0,0 +1,5 @@ +--- +bugfixes: +- 'Fix the password lookup when run from a FIPS enabled system. FIPS forbids + the use of md5 but we can use sha1 instead. + https://github.com/ansible/ansible/issues/47297' diff --git a/lib/ansible/plugins/lookup/password.py b/lib/ansible/plugins/lookup/password.py index 6bbf44927de..c4c347431bf 100644 --- a/lib/ansible/plugins/lookup/password.py +++ b/lib/ansible/plugins/lookup/password.py @@ -268,7 +268,7 @@ def _get_lock(b_path): """Get the lock for writing password file.""" first_process = False b_pathdir = os.path.dirname(b_path) - lockfile_name = to_bytes("%s.ansible_lockfile" % hashlib.md5(b_path).hexdigest()) + lockfile_name = to_bytes("%s.ansible_lockfile" % hashlib.sha1(b_path).hexdigest()) lockfile = os.path.join(b_pathdir, lockfile_name) if not os.path.exists(lockfile) and b_path != to_bytes('/dev/null'): try: