Managing a user password for linux in puppet

问题

I need to create a test user with a password using puppet.

I've read that puppet cannot manage user passwords in a generic cross-platform way, which is a pity. I am doing this for Red Hat Enterprise Linux Server release 6.3.

I do as follows:

user { 'test_user': 
  ensure   => present,
  password => sha1('hello'),
}

puppet updates the password of the user, but Linux says login/pwd incorrect when I try to log in.

It works (I can login) if I set the password manually in Linux with sudo passwd test_user, and then look at /etc/shadow and hardcode that value in puppet. something like:

user { 'test_user': 
  ensure   => present,
  password => '$1$zi13KdCr$zJvdWm5h552P8b34AjxO11',
}

I've tried also by adding $1$ in front of the sha1('hello'), but it does not work either (note, $1$ stands for sha1).

How to modify the first example to make it work (using the plaintext password in the puppet file)?

P.S.: I am aware that I should use LDAP, or sshkeys, or something else, instead of hardcoding the user passwords in the puppet file. however, I am doing this only for running a puppet vagrant test, so it is ok to hardcode the user password.

回答1:

I had success (gist) with ruby's String#crypt method from within a Puppet parser function.

AFAICS it's using the crypt libc functions (see: info crypt), and takes the same arguments $n$[rounds=<m>$]salt, where n is the hashing function ($6 for SHA-512) and m is the number of key strengthening rounds (5000 by default).

回答2:

Linux users have their passwords stored as hash in /etc/shadow file. Puppet passes the password supplied in the user type definition in the /etc/shadow file.

Generate your hash password using openssl command:

 #openssl passwd -1  
 #Enter your password here 
 Password: 
 Verifying - Password: 
 $1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM

The previous example generate this hash: $1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM/

Add this hash password to your class as shown (do not forget the quotes)

user { 'test_user': 
  ensure   => present,
  password => '$1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM/',
}

回答3:

The stdlib package of puppetlabs implements a similar pw_hash function of the accepted answer.

Be sure to add the library to your configuration. If you use librarian, just add in your Puppetfile

mod 'puppetlabs-stdlib'

Then to create an user, simply :

user { 'user':
  ensure => present,
  password => pw_hash('password', 'SHA-512', 'mysalt'),
}

回答4:

The sha1 function in puppet is not directly intended for passwd entries, as you figured out. I'd say setting the hash rather than the password is good practice! You are not really supposed to be able to recover a password anyway - you can generate it once, or you can have puppet generate it every time - generating that hash once should be enough IMHO... You can generate a password on Debian/Ubuntu like this:

pwgen -s -1 | mkpasswd -m sha-512 -s

...on CentOS you can use some grub-crypt command instead of mkpasswd...

回答5:

You can use the generate function to let Puppet create the hash for you:

$password = 'hello'

user { 'test_user':
    ensure   => 'present',
    password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${password} | tr -d '\n'"),
}

回答6:

Puppet: user with a SHA 512 hashed password

I came up with a method that doesn't need anything to add if you have python 2.6. I tested this on puppet 3.6.2 on CentOS 6.4:

$pass="password"
$shatag="\$6\$"
$cmd="import crypt, base64, os, sys; sys.stdout.write(crypt.crypt('$pass', '$shatag' + base64.b64encode(os.urandom(16))[:8]))"
user { 'boop':
  ensure   => present,
  password => generate ("/usr/bin/python", "-c", $cmd),
}

Explanations

1. the sha tag is here to specify to crypt the hash method we want: 6 is the type of hash for SHA-512

   • $1$ -> MD5
   • $2a$ -> Blowfish (not in mainline glibc; added in some Linux distributions)
   • $5$ -> SHA-256 (since glibc 2.7)
   • $6$ -> SHA-512 (since glibc 2.7)

thx davey and wiki_crypt

2. sys.stdout.write is here to avoid '\n' of print

3. base64.b64encode(os.urandom(16))[:8]):

   • os.urandom(16) create a 16 bits long binary string
   • base64.b64encode encode this string in base64
   • [:8] take the first 8 characters of this string (as base64 encoding length may vary)

4. generate is a puppet function that create text when on the puppet master. You can't use this function like you want because it is 'protected' ê.é (last post suggest a workaround to this protection-or-whatever)

hth

回答7:

In my Vagrantfile, I did this:

$newuserid = ENV["USERNAME"]

config.vm.provision :puppet do |puppet|
    puppet.module_path    = "modules"
    puppet.manifests_path = "manifests"
    puppet.manifest_file  = "main.pp"
    puppet.facter         = {"newuserid" => $newuserid}
    puppet.options        = "--verbose"    
end

And in my main.pp file:

user { $newuserid :
  ensure  => present,
  home    => "/home/${newuserid}",
  managehome => true,
  gid => "mygid",
}

exec { 'set password':
  command => "/bin/echo \"${newuserid}:${newuserid}\" | /usr/sbin/chpasswd",
  require => User [ $newuserid ],
}

回答8:

just generate encrypted password from grub-crypt --sha-512 and paste

来源：https://stackoverflow.com/questions/19114328/managing-a-user-password-for-linux-in-puppet