Refine iiab-admin role for Admin Console etc

2025-03-09 15:40:17 +00:00 · 2020-10-16 14:00:30 -04:00 · 2020-10-16 14:00:30 -04:00 · 25c9733541
commit 25c9733541
parent 0cf1cfc90d
15 changed files with 136 additions and 114 deletions
--- a/roles/2-common/tasks/packages.yml
+++ b/roles/2-common/tasks/packages.yml
@ -27,7 +27,7 @@
    state: present
  when: is_debuntu | bool

- name: "Install 23 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget"
+- name: "Install 22 common packages: acpid, bridge-utils, bzip2, curl, gawk, hostapd, htop, i2c-tools, logrotate, make, mlocate, netmask, net-tools, ntfs-3g, pandoc, pastebinit, rsync, sqlite3, sudo, tar, unzip, usbutils, wget"
  package:
    name:
      - acpid
@ -52,7 +52,7 @@
      - rsync
      #- screen    # Installed by 1-prep's roles/iiab-admin/tasks/access.yml
      - sqlite3
-      - sudo    # MIGHT already have been installed by 1-prep's roles/iiab-admin/tasks/admin-user.yml *IF* iiab_admin_user_install: True
+      #- sudo    # Installed by 1-prep's roles/iiab-admin/tasks/sudo-prereqs.yml
      - tar
      - unzip
      #- usbmount    # Moved to roles/usb_lib/tasks/install.yml
--- a/roles/iiab-admin/README.rst
+++ b/roles/iiab-admin/README.rst
@ -33,7 +33,7 @@ Security
 --------

 * A user MUST be a member of at least one of these 2 Linux groups, in order to log in to IIAB's Admin Console: (http://box.lan/admin)
-   #. ``iiab-admin`` (specified by ``iiab_admin_user_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
+   #. ``iiab-admin`` (specified by ``admin_console_group`` near the bottom of `/opt/iiab/iiab-admin-console/vars/default_vars.yml <https://github.com/iiab/iiab-admin-console/blob/master/vars/default_vars.yml>`_)
   #. ``sudo``
 * Please read much more about what escalated (root) actions are authorized when you log into IIAB's Admin Console, and how this works: https://github.com/iiab/iiab-admin-console/blob/master/Authentication.md
 * If your IIAB includes OpenVPN, ``/root/.ssh/authorized_keys`` should be installed by `roles/openvpn/tasks/install.yml <https://github.com/iiab/iiab/blob/master/roles/openvpn/tasks/install.yml>`_ to faciliate remote community support.  Feel free to remove this as mentioned here: http://wiki.laptop.org/go/IIAB/Security
@ -50,18 +50,20 @@ Example
 Historical Notes
 ================

-* We no longer recommend setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent) as this is very cumbersome — and worse, exposes your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_.  [October 2020]
-* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are also no longer recommended.  [October 2020]
+* We no longer support setting your password using a hash e.g. ``python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'`` (or the Python 3 equivalent, ``python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'``) as these are very cumbersome — and worse, exposing your "salt" opens up your password to `possible attack <https://stackoverflow.com/questions/6776050/how-long-to-brute-force-a-salted-sha-512-hash-salt-provided>`_.  [October 2020]
+* The sudo flag ``NOPASSWORD:`` and the ``wheel`` group are similarly no longer recommended, so that your IIAB faces fewer security risks.  [October 2020]

 Tools to facilitate Remote Support
 ----------------------------------

-In addition to the iiab-diagnostics and OpenVPN options mentioned above, `/opt/iiab/iiab/roles/iiab-admin/tasks/access.yml <https://github.com/holta/iiab/blob/sudoers_anonymous/roles/iiab-admin/tasks/access.yml>`_ adds a few more essential tools:
+The iiab-diagnostics and OpenVPN options mentioned can greatly help you help your community, typically during the implementation phase of your project, even if Linux is new to you.

-* screen
-* lynx
+Similarly, `/opt/iiab/iiab/roles/iiab-admin/tasks/access.yml <tasks/access.yml>`_ adds a couple text mode tools, very helpful at a distance with expensive / low-bandwidth connections:

-*Please also see:*
+* `lynx <https://en.wikipedia.org/wiki/Lynx_(web_browser)>`_
+* `screen <https://linuxize.com/post/how-to-use-linux-screen/>`_
+
+*More great tools to help you jumpstart community work at a distance:*

 http://FAQ.IIAB.IO > "How can I remotely manage my Internet-in-a-Box?"

--- a/roles/iiab-admin/defaults/main.yml
+++ b/roles/iiab-admin/defaults/main.yml
@ -10,6 +10,7 @@
 # iiab_admin_user_install: True
 # iiab_admin_can_sudo: True   # For /usr/bin/iiab-* support commands. Optional.
 # iiab_admin_published_pwd: g0adm1n   # Default password. For pwd warnings too.
+# admin_console_group: iiab-admin   # This group & sudo log in to Admin Console

 # All above are set in: github.com/iiab/iiab/blob/master/vars/default_vars.yml
 # If nec, change them by editing /etc/iiab/local_vars.yml prior to installing!
--- a/roles/iiab-admin/tasks/access.yml
+++ b/roles/iiab-admin/tasks/access.yml
@ -1,6 +1,6 @@
- name: "Install textmode remote access packages: screen, lynx"
+- name: "Install text mode packages, useful during remote access: screen, lynx"
  package:
    name:
-    - screen
-    - lynx
+      - lynx
+      - screen
    state: present
--- a/roles/iiab-admin/tasks/admin-user.yml
+++ b/roles/iiab-admin/tasks/admin-user.yml
@ -1,16 +1,28 @@
- name: Check if user '{{ iiab_admin_user }}' exists    # iiab-admin
+# Summary of how this works with IIAB's Admin Console etc:
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/README.rst
+
+
+# YOU CAN CHANGE THIS USER TO 'pi' OR 'ubuntu' ETC, IN /etc/iiab/local_vars.yml
+- name: Does user '{{ iiab_admin_user }}' (iiab_admin_user) exist?    # iiab-admin BY DEFAULT
  command: "id {{ iiab_admin_user | quote }}"    # quote to avoid ';' exploits
  register: user_info
  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')

- name: Establish user {{ iiab_admin_user }} with shell /bin/bash, for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line
+# admin_console_group: iiab-admin   # PER default_vars.yml, SHOULD NEVER CHANGE
+- name: Establish Linux group '{{ admin_console_group }}' group, for login to Admin Console
+  group:
+    name: "{{ admin_console_group }}"
+    state: present
+
+- name: Configure user '{{ iiab_admin_user }}' with group '{{ admin_console_group }}' for login to IIAB's Admin Console (http://box.lan/admin) AND for IIAB community support commands (/usr/bin/iiab-* and /usr/sbin/iiab-*) at the command-line
  user:
    name: "{{ iiab_admin_user }}"
-    #group: "{{ iiab_admin_user }}"     # Neither nec as 'USERGROUPS_ENAB yes'
-    #groups: "{{ iiab_admin_user }}"    # is set in any modern /etc/login.defs
+    #group: "{{ iiab_admin_user }}"    # Not nec.  Anyway this happens during account creation b/c 'USERGROUPS_ENAB yes' is set in any modern /etc/login.defs
+    groups: "{{ admin_console_group }}"    # What guarantees any user's ability to login to Admin Console, just in case the user is not a member of sudo in future.  FWIW Ansible adds the user to this group in /etc/group even in cases where that's not nec -- i.e. user iiab-admin's primary group is normally sufficient if it (the correct GID, corresponding to group iiab-admin) is in the 4th column of /etc/passwd.
+    append: yes
    shell: /bin/bash
    #password: "{{ iiab_admin_pwd_hash }}"    # 2020-10-14: DEPRECATED in favor
-    #update_password: on_create    # of 'command: chpasswd' below.  See: #2570
+    #update_password: on_create               # of 'command: chpasswd' below.

 - name: If user didn't exist, set password to '{{ iiab_admin_published_pwd }}'    # g0adm1n
  #shell: "echo {{ iiab_admin_user }}:{{ iiab_admin_published_pwd }} | chpasswd"
@ -20,18 +32,15 @@
  when: user_info.rc != 0


-# roles/2-common/tasks/packages.yml also installs sudo, but that's too late
- name: 'Install package: sudo'
-  package:
-    name: sudo
+# sudo-prereqs.yml needs to have been run!

 - name: Add user {{ iiab_admin_user }} to group sudo, for IIAB community support commands like {iiab-diagnostics, iiab-hotspot-on, iiab-check-firmware}, if iiab_admin_can_sudo
-  command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
-  #user:
-  #  name: "{{ iiab_admin_user }}"
-  #  groups: sudo
-  #  append: yes
-  when: iiab_admin_can_sudo | bool
+  #command: "gpasswd -a {{ iiab_admin_user | quote }} sudo"
+  user:
+    name: "{{ iiab_admin_user }}"
+    groups: sudo
+    append: yes
+  when: iiab_admin_can_sudo

 - name: Remove user {{ iiab_admin_user }} from group sudo, if not iiab_admin_can_sudo
  command: "gpasswd -d {{ iiab_admin_user | quote }} sudo"
@ -39,32 +48,9 @@
  failed_when: False    # Hides red errors (stronger than 'ignore_errors: yes')


- name: Temporarily make file /etc/sudoers editable (0640)
-  file:
-    path: /etc/sudoers
-    mode: 0640
-
- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log'
-  lineinfile:
-    path: /etc/sudoers
-    regexp: logfile
-    line: "Defaults     logfile = /var/log/sudo.log"
-
 #- name: Lets {{ iiab_admin_user }} sudo without password
 ##- name: Lets wheel sudo without password
 #  lineinfile:
 #    path: /etc/sudoers
 #    line: "{{ iiab_admin_user }} ALL=(ALL) NOPASSWD: ALL"
 ##    line: "%wheel ALL= NOPASSWD: ALL"
-
-# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
-#- name: Remove all lines that contain 'requiretty'
-#  lineinfile:
-#    path: /etc/sudoers
-#    regexp: requiretty
-#    state: absent
-
- name: End editing file /etc/sudoers -- protect it again (0440)
-  file:
-    path: /etc/sudoers
-    mode: 0440
--- a/roles/iiab-admin/tasks/main.yml
+++ b/roles/iiab-admin/tasks/main.yml
@ -1,39 +1,28 @@
- include_tasks: admin-user.yml
+- name: Install lynx, screen
+  include_tasks: access.yml
+
+- name: Install sudo & /etc/sudoers with logging to /var/log/sudo.log
+  include_tasks: sudo-prereqs.yml
+
+- name: Configure user iiab-admin / password and its groups, if iiab_admin_user_install
+  include_tasks: admin-user.yml
  when: iiab_admin_user_install | bool

- include_tasks: access.yml
+# Idea: institute precautionary system-wide published password warning(s)
+# for user iiab-admin / g0adm1n, i.e. {{ iiab_admin_user }} with password
+# {{ iiab_admin_published_pwd }}, regardless whether the password is set:
+#
+# (1) by the OS installer
+# (2) by the OS's graphical desktop tools
+# (3) at the command-line: sudo passwd iiab-admin
+# (4) by IIAB's 1-line installer: http://download.iiab.io
+# (5) by this role: roles/iiab-admin/tasks/admin-user.yml
+# (6) by IIAB's Admin Console during installation
+# ...and/or...
+# (7) by IIAB's Admin Console > Utilities > Change Password

- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
-  template:
-    src: sshpwd-profile-iiab.sh
-    dest: /etc/profile.d/
-    mode: '0644'
-
- name: Is this LXDE-pi?
-  stat:
-    path: /etc/xdg/lxsession/LXDE-pi
-  register: lx
-
- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
-  template:
-    src: sshpwd-lxde-iiab.sh
-    dest: /etc/xdg/lxsession/LXDE-pi/
-    mode: '0755'
-  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
-
-# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
-# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
-# (or pprompt.desktop as Raspbian has working since 2018-11-13!)  Too bad as it
-# would be really nice to standardize this popup across Ubermix & all distros..
-# Is this a permissions/security issue presumably?  Official autostart spec is:
-# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
-# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
-
- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian)
-  lineinfile:
-    path: /etc/xdg/lxsession/LXDE-pi/autostart
-    line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
-  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
+- name: Install password warning(s)
+  include_tasks: pwd-warnings.yml


 # RECORD iiab-admin AS INSTALLED
@ -62,3 +51,7 @@
      value: '"Admin User"'
    - option: iiab_admin_user
      value: "{{ iiab_admin_user }}"
+    - option: iiab_admin_user_install
+      value: "{{ iiab_admin_user_install }}"
+    - option: iiab_admin_can_sudo
+      value: "{{ iiab_admin_can_sudo }}"
--- a/roles/iiab-admin/tasks/pwd-warnings.yml
+++ b/roles/iiab-admin/tasks/pwd-warnings.yml
@ -0,0 +1,31 @@
+- name: Install /etc/profile.d/sshpwd-profile-iiab.sh from template, to issue warnings (during shell/ssh logins) if iiab-admin password is the default
+  template:
+    src: sshpwd-profile-iiab.sh
+    dest: /etc/profile.d/
+    mode: '0644'
+
+- name: Is this LXDE-pi?
+  stat:
+    path: /etc/xdg/lxsession/LXDE-pi
+  register: lx
+
+- name: "Likewise for Raspbian, installing: /etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
+  template:
+    src: sshpwd-lxde-iiab.sh
+    dest: /etc/xdg/lxsession/LXDE-pi/
+    mode: '0755'
+  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
+
+# 2019-03-07: This popup (/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh) does
+# not actually appear when triggered by /etc/xdg/autostart/pprompt-iiab.desktop
+# (or pprompt.desktop as Raspbian has working since 2018-11-13!)  Too bad as it
+# would be really nice to standardize this popup across Ubermix & all distros..
+# Is this a permissions/security issue presumably?  Official autostart spec is:
+# https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
+# Raspbian's 2016-2018 evolution here: https://github.com/iiab/iiab/issues/1537
+
+- name: Put line in /etc/xdg/lxsession/LXDE-pi/autostart to run the above (raspbian)
+  lineinfile:
+    path: /etc/xdg/lxsession/LXDE-pi/autostart
+    line: "@/etc/xdg/lxsession/LXDE-pi/sshpwd-lxde-iiab.sh"
+  when: lx.stat.isdir is defined and lx.stat.isdir and is_raspbian and is_debuntu
--- a/roles/iiab-admin/tasks/sudo-prereqs.yml
+++ b/roles/iiab-admin/tasks/sudo-prereqs.yml
@ -0,0 +1,27 @@
+# roles/2-common/tasks/packages.yml also installed sudo, but that's too late
+- name: 'Install package: sudo'
+  package:
+    name: sudo
+
+- name: Temporarily make file /etc/sudoers editable (0640)
+  file:
+    path: /etc/sudoers
+    mode: 0640
+
+- name: '/etc/sudoers: Have sudo log all commands to /var/log/sudo.log -- in addition to the lengthier /var/log/auth.log'
+  lineinfile:
+    path: /etc/sudoers
+    regexp: logfile
+    line: "Defaults     logfile = /var/log/sudo.log"
+
+# Not nec (heavyhanded removal of customizations+comments) given sudo defaults.
+#- name: Remove all lines that contain 'requiretty'
+#  lineinfile:
+#    path: /etc/sudoers
+#    regexp: requiretty
+#    state: absent
+
+- name: End editing file /etc/sudoers -- protect it again (0440)
+  file:
+    path: /etc/sudoers
+    mode: 0440
--- a/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-lxde-iiab.sh
@ -3,6 +3,9 @@
 # SEE ALSO: /etc/profile.d/sshpwd-profile-iiab.sh sourced from...
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/templates/sshpwd-profile-iiab.sh

+# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
+# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/pwd-warnings.yml#L19-L25
+
 # For Localization/Translation: (use /usr/bin/gettext below if later nec!)
 #export TEXTDOMAIN=pprompt-iiab
 #. gettext.sh
--- a/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
+++ b/roles/iiab-admin/templates/sshpwd-profile-iiab.sh
@ -44,8 +44,6 @@ check_user_pwd() {
 # HISTORICAL: if password-free sudo access is truly nec, it can be set with
 # "iiab-admin ALL=(ALL) NOPASSWD: ALL" in /etc/sudoers as seen in the older:
 # https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/admin-user.yml
-# CAUTION: popup warnings still don't appear on most OS's, as mentioned here:
-# https://github.com/iiab/iiab/blob/master/roles/iiab-admin/tasks/main.yml#L24-L30

 if check_user_pwd "{{ iiab_admin_user }}" "{{ iiab_admin_published_pwd }}" ; then    # iiab-admin g0adm1n
    echo
--- a/roles/nginx/tasks/install.yml
+++ b/roles/nginx/tasks/install.yml
@ -16,10 +16,11 @@
    - php-fpm
    - libnginx-mod-http-subs-filter

- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console
-  user:
-    name: "{{ apache_user }}"    # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml
-    groups: shadow
+# 2020-10-16: Removed per #2560
+#- name: Add user '{{ apache_user }}' to shadow group, so it can authenticate Admin Console
+#  user:
+#    name: "{{ apache_user }}"    # www-data or apache, per /opt/iiab/iiab/vars/<OS>.yml
+#    groups: shadow

 - name: Remove NGINX default config /etc/nginx/sites-enabled/default
  file:
--- a/vars/default_vars.yml
+++ b/vars/default_vars.yml
@ -58,9 +58,10 @@ language_priority: en es fr
 iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
-iiab_admin_user_install: True
+iiab_admin_user_install: True    # If False, THE SETTING BELOW WILL BE IGNORED.
 iiab_admin_can_sudo: True    # For /usr/bin/iiab-* support commands.  Optional.
 iiab_admin_published_pwd: g0adm1n    # Default password.  For pwd warnings too.
+admin_console_group: iiab-admin    # This group & sudo log in to Admin Console.

 # DEPRECATED - Password hash to override above, if Ansible creates above user:
 iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
--- a/vars/local_vars_big.yml
+++ b/vars/local_vars_big.yml
@ -30,16 +30,9 @@ language_priority: en es fr
 iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
-iiab_admin_user_install: True
+iiab_admin_user_install: True    # If False, THE SETTING BELOW WILL BE IGNORED.
 iiab_admin_can_sudo: True    # For /usr/bin/iiab-* support commands.  Optional.

-# DEPRECATED - Password hash to override above, if Ansible creates above user:
-iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
-# Obtain a password hash - NEW MORE SECURE WAY:
-#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
-# Obtain a password hash - OLD WAY:
-#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-
 # Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
 admin_console_enabled: True
--- a/vars/local_vars_medium.yml
+++ b/vars/local_vars_medium.yml
@ -30,16 +30,9 @@ language_priority: en es fr
 iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
-iiab_admin_user_install: True
+iiab_admin_user_install: True    # If False, THE SETTING BELOW WILL BE IGNORED.
 iiab_admin_can_sudo: True    # For /usr/bin/iiab-* support commands.  Optional.

-# DEPRECATED - Password hash to override above, if Ansible creates above user:
-iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
-# Obtain a password hash - NEW MORE SECURE WAY:
-#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
-# Obtain a password hash - OLD WAY:
-#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-
 # Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
 admin_console_enabled: True
--- a/vars/local_vars_min.yml
+++ b/vars/local_vars_min.yml
@ -30,16 +30,9 @@ language_priority: en es fr
 iiab_admin_user: iiab-admin    # Some prefer to reuse 'pi' or 'ubuntu' etc.
 # Set iiab_admin_user_install: False if you don't want iiab_admin_user auto-
 # configured e.g. by IIAB's 1-line installer & iiab-admin/tasks/admin-user.yml
-iiab_admin_user_install: True
+iiab_admin_user_install: True    # If False, THE SETTING BELOW WILL BE IGNORED.
 iiab_admin_can_sudo: True    # For /usr/bin/iiab-* support commands.  Optional.

-# DEPRECATED - Password hash to override above, if Ansible creates above user:
-iiab_admin_pwd_hash: $6$xsce51$D.IrrEeLBYIuJkGDmi27pZUGOwPFp98qpl3hxMwWV4hXigFGmdSvy3s/j7tn6OnyTTLmlV7SsN0lCUAFzxSop.
-# Obtain a password hash - NEW MORE SECURE WAY:
-#    python3 -c 'import crypt; print(crypt.crypt("<plaintext>", crypt.mksalt(crypt.METHOD_SHA512)))'
-# Obtain a password hash - OLD WAY:
-#    python -c 'import crypt; print crypt.crypt("<plaintext>", "$6$<salt>")'
-
 # Set these to False if you do not want to install/enable IIAB Admin Console
 admin_console_install: True
 admin_console_enabled: True