I need to create a test user with a password using puppet.
I’ve read that puppet cannot manage user passwords in a generic cross-platform way, which is a pity. I am doing this for Red Hat Enterprise Linux Server release 6.3.
I do as follows:
user { 'test_user': ensure => present, password => sha1('hello'), }
puppet updates the password of the user, but Linux says login/pwd incorrect when I try to log in.
It works (I can login) if I set the password manually in Linux with sudo passwd test_user
, and then look at /etc/shadow
and hardcode that value in puppet. something like:
user { 'test_user': ensure => present, password => '$1$zi13KdCr$zJvdWm5h552P8b34AjxO11', }
I’ve tried also by adding $1$
in front of the sha1('hello')
,
but it does not work either (note, $1$
stands for sha1).
How to modify the first example to make it work (using the plaintext password in the puppet file)?
P.S.: I am aware that I should use LDAP, or sshkeys, or something else, instead of hardcoding the user passwords in the puppet file. however, I am doing this only for running a puppet vagrant test, so it is ok to hardcode the user password.
Advertisement
Answer
I had success (gist) with ruby’s String#crypt method from within a Puppet parser function.
AFAICS it’s using the crypt libc functions (see: info crypt
), and takes the same arguments $n$[rounds=<m>$]salt
, where n is the hashing function ($6 for SHA-512) and m is the number of key strengthening rounds (5000 by default).