Managing a user password for linux in puppet

后端 未结 8 949
心在旅途
心在旅途 2020-12-07 16:00

I need to create a test user with a password using puppet.

I\'ve read that puppet cannot manage user passwords in a generic cross-platform way, which is a pity. I am

相关标签:
8条回答
  • 2020-12-07 16:11

    You can use the generate function to let Puppet create the hash for you:

    $password = 'hello'
    
    user { 'test_user':
        ensure   => 'present',
        password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${password} | tr -d '\n'"),
    }
    
    0 讨论(0)
  • 2020-12-07 16:12

    The stdlib package of puppetlabs implements a similar pw_hash function of the accepted answer.

    Be sure to add the library to your configuration. If you use librarian, just add in your Puppetfile

    mod 'puppetlabs-stdlib'
    

    Then to create an user, simply :

    user { 'user':
      ensure => present,
      password => pw_hash('password', 'SHA-512', 'mysalt'),
    }
    
    0 讨论(0)
  • 2020-12-07 16:17

    Linux users have their passwords stored as hash in /etc/shadow file. Puppet passes the password supplied in the user type definition in the /etc/shadow file.

    Generate your hash password using openssl command:

     #openssl passwd -1  
     #Enter your password here 
     Password: 
     Verifying - Password: 
     $1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM
    

    The previous example generate this hash: $1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM/

    Add this hash password to your class as shown (do not forget the quotes)

    user { 'test_user': 
      ensure   => present,
      password => '$1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM/',
    }
    
    0 讨论(0)
  • 2020-12-07 16:17

    The sha1 function in puppet is not directly intended for passwd entries, as you figured out. I'd say setting the hash rather than the password is good practice! You are not really supposed to be able to recover a password anyway - you can generate it once, or you can have puppet generate it every time - generating that hash once should be enough IMHO... You can generate a password on Debian/Ubuntu like this:

    pwgen -s -1 | mkpasswd -m sha-512 -s
    

    ...on CentOS you can use some grub-crypt command instead of mkpasswd...

    0 讨论(0)
  • 2020-12-07 16:19

    In my Vagrantfile, I did this:

    $newuserid = ENV["USERNAME"]
    
    config.vm.provision :puppet do |puppet|
        puppet.module_path    = "modules"
        puppet.manifests_path = "manifests"
        puppet.manifest_file  = "main.pp"
        puppet.facter         = {"newuserid" => $newuserid}
        puppet.options        = "--verbose"    
    end
    

    And in my main.pp file:

    user { $newuserid :
      ensure  => present,
      home    => "/home/${newuserid}",
      managehome => true,
      gid => "mygid",
    }
    
    exec { 'set password':
      command => "/bin/echo \"${newuserid}:${newuserid}\" | /usr/sbin/chpasswd",
      require => User [ $newuserid ],
    }
    
    0 讨论(0)
  • 2020-12-07 16:20

    I had success (gist) with ruby's String#crypt method from within a Puppet parser function.

    AFAICS it's using the crypt libc functions (see: info crypt), and takes the same arguments $n$[rounds=<m>$]salt, where n is the hashing function ($6 for SHA-512) and m is the number of key strengthening rounds (5000 by default).

    0 讨论(0)
提交回复
热议问题