Skip to content
Advertisement

Managing a user password for linux in puppet

I need to create a test user with a password using puppet.

I’ve read that puppet cannot manage user passwords in a generic cross-platform way, which is a pity. I am doing this for Red Hat Enterprise Linux Server release 6.3.

I do as follows:

user { 'test_user': 
  ensure   => present,
  password => sha1('hello'),
}

puppet updates the password of the user, but Linux says login/pwd incorrect when I try to log in.

It works (I can login) if I set the password manually in Linux with sudo passwd test_user, and then look at /etc/shadow and hardcode that value in puppet. something like:

user { 'test_user': 
  ensure   => present,
  password => '$1$zi13KdCr$zJvdWm5h552P8b34AjxO11',
}

I’ve tried also by adding $1$ in front of the sha1('hello'), but it does not work either (note, $1$ stands for sha1).

How to modify the first example to make it work (using the plaintext password in the puppet file)?

P.S.: I am aware that I should use LDAP, or sshkeys, or something else, instead of hardcoding the user passwords in the puppet file. however, I am doing this only for running a puppet vagrant test, so it is ok to hardcode the user password.

Advertisement

Answer

I had success (gist) with ruby’s String#crypt method from within a Puppet parser function.

AFAICS it’s using the crypt libc functions (see: info crypt), and takes the same arguments $n$[rounds=<m>$]salt, where n is the hashing function ($6 for SHA-512) and m is the number of key strengthening rounds (5000 by default).

User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement