Managing a user password for linux in puppet

Question

I need to create a test user with a password using puppet.

I\'ve read that puppet cannot manage user passwords in a generic cross-platform way, which is a pity. I am

Answer 1

Puppet: user with a SHA 512 hashed password

I came up with a method that doesn't need anything to add if you have python 2.6. I tested this on puppet 3.6.2 on CentOS 6.4:

$pass="password"
$shatag="\$6\$"
$cmd="import crypt, base64, os, sys; sys.stdout.write(crypt.crypt('$pass', '$shatag' + base64.b64encode(os.urandom(16))[:8]))"
user { 'boop':
  ensure   => present,
  password => generate ("/usr/bin/python", "-c", $cmd),
}

Explanations

1. the sha tag is here to specify to crypt the hash method we want: 6 is the type of hash for SHA-512

   • $1$ -> MD5
   • $2a$ -> Blowfish (not in mainline glibc; added in some Linux distributions)
   • $5$ -> SHA-256 (since glibc 2.7)
   • $6$ -> SHA-512 (since glibc 2.7)

thx davey and wiki_crypt

2. sys.stdout.write is here to avoid '\n' of print

3. base64.b64encode(os.urandom(16))[:8]):

   • os.urandom(16) create a 16 bits long binary string
   • base64.b64encode encode this string in base64
   • [:8] take the first 8 characters of this string (as base64 encoding length may vary)

4. generate is a puppet function that create text when on the puppet master. You can't use this function like you want because it is 'protected' ê.é (last post suggest a workaround to this protection-or-whatever)

hth