Managing a user password for linux in puppet

Linux users have their passwords stored as hash in /etc/shadow file. Puppet passes the password supplied in the user type definition in the /etc/shadow file.

Generate your hash password using openssl command:

 #openssl passwd -1  
 #Enter your password here 
 Password: 
 Verifying - Password: 
 $1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM

The previous example generate this hash: $1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM/

Add this hash password to your class as shown (do not forget the quotes)

user { 'test_user': 
  ensure   => present,
  password => '$1$HTQUGYUGYUGwsxQxCp3F/nGc4DCYM/',
}

The sha1 function in puppet is not directly intended for passwd entries, as you figured out. I'd say setting the hash rather than the password is good practice! You are not really supposed to be able to recover a password anyway - you can generate it once, or you can have puppet generate it every time - generating that hash once should be enough IMHO... You can generate a password on Debian/Ubuntu like this:

pwgen -s -1 | mkpasswd -m sha-512 -s

...on CentOS you can use some grub-crypt command instead of mkpasswd...


The stdlib package of puppetlabs implements a similar pw_hash function of the accepted answer.

Be sure to add the library to your configuration. If you use librarian, just add in your Puppetfile

mod 'puppetlabs-stdlib'

Then to create an user, simply :

user { 'user':
  ensure => present,
  password => pw_hash('password', 'SHA-512', 'mysalt'),
}

I had success (gist) with ruby's String#crypt method from within a Puppet parser function.

AFAICS it's using the crypt libc functions (see: info crypt), and takes the same arguments $n$[rounds=<m>$]salt, where n is the hashing function ($6 for SHA-512) and m is the number of key strengthening rounds (5000 by default).

Tags:

Linux

Puppet