Step by step guide to setting user passwords

[Jfro]

I'm new to Puppet but have searched this group and Puppet docs for how to set up user passwords using puppet.  I haven't found a clear answer about setting user passwords.

I understand that it is a security risk to send plain text passwords via Puppet.  However, for my use case (setting up one "student" user on a school computer lab) I think the risk is acceptable.

Can someone walk me through the steps of sending out a password to all my computers for user "student."

My puppetmaster and puppets are running Ubuntu Lucide 10.4 LTS.

Thanks for getting a newbie off the ground!

[Len Rugen]

You aren't sending the password, you are sending the "shadow".  On one system, set the desired password, get the shadow value, put that in puppet. 

[root@localhost ~]# passwd student
Changing password for user student.
New password:
BAD PASSWORD: it is too simplistic/systematic
Retype new password:
passwd: all authentication tokens updated successfully.
[root@localhost ~]# grep student /etc/shadow
student:$6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710v1HMRmS5VnPbHZ2MwY96wt0:15189:0:99999:7:::
[root@localhost ~]#

In puppet, passwd => "$6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710v1HMRmS5VnPbHZ2MwY96wt0",

This if from memory, so not syntax checked.  That hash is for a password that was simple and got the gripe.

Of course, you will have to install and configure puppet on all of your systems. 

[Jfro]

Len,

Thanks for the clear directions.  I wasn't sure if the shadow value could be transfered to different computers and be decrypted correctly.  It looks like it can.  I'll give this a try!

I appreciate your clear directions and taking time to help a newbie.  You saved me hours of searching and pulling out my hair!

[vagn scott]

On 08/02/2011 03:52 PM, Jfro wrote:
>
> Can someone walk me through the steps of sending out a password to all
> my computers for user "student."

I do this a lot:

yes 'PASSWORD' | passwd username

Then you can extract the password from /etc/shadow

also see here:

http://serverfault.com/questions/87874/how-should-someone-create-an-encrypted-password-for-etc-shadow

--
vagn

[Len Rugen]

Works on about 300 of ours :-)

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/cr268oS6l2oJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Daniel Maher]

This will help :
http://docs.puppetlabs.com/references/2.7.0/type.html#user-3

Otherwise, it's really just as simple as this :

user { 'student_account':
name => 'username',
password => '$6$xx...' # this is the crypted password string.
}

You can also set their group membership, home directory, uid, and other
things as well. Just ensure that the user statement is in a class
that's included on all of your target machines, and you're done.

--
dan.

[Peter Meier]

>> Can someone walk me through the steps of sending out a password to all
>> my computers for user "student."
>
> I do this a lot:
>
> yes 'PASSWORD' | passwd username
>
> Then you can extract the password from /etc/shadow
>
> also see here:
>
> http://serverfault.com/questions/87874/how-should-someone-create-an-encrypted-password-for-etc-shadow

No need to go over /etc/shadow or use mkpasswd (which is not available
that easy on all distros). How about

# salt=`pwgen 8 1`; pass=`pwgen -s 12 1`;ruby -e "puts \
ARGV[0].crypt('\$6\$' << ARGV[1] << '\$')" $pass $salt; echo $pass
$6$eemaihic$3gwFGQxMWE8n/KMZlNe3O9dVoQC5zCXrtabhpCLeDp54eYTGK8WAHovxYZLaQf8YF93Hwfh466CQ966Xoh6O81
FmstT8KObWVu

?

~pete

[Ryan Conway]

One more thing - Puppet will fail to set the password unless the
libshadow gem is present, as this is required to work with shadow
passwords.

The failures due to this being missing weren't obvious if I remember
back - you only get a warning that the user provider isn't able to
manage the passwords if you're running in debug mode.

Ryan

On Aug 3, 1:35 am, Len Rugen <lenru...@gmail.com> wrote:
> You aren't sending the password, you are sending the "shadow".  On one
> system, set the desired password, get the shadow value, put that in puppet.
>
> [root@localhost ~]# passwd student
> Changing password for user student.
> New password:
> BAD PASSWORD: it is too simplistic/systematic
> Retype new password:
> passwd: all authentication tokens updated successfully.
> [root@localhost ~]# grep student /etc/shadow
> student:
> $6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710 v1HMRmS5VnPbHZ2MwY96wt0
> :15189:0:99999:7:::
> [root@localhost ~]#
>
> In puppet, passwd => "

> $6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710 v1HMRmS5VnPbHZ2MwY96wt0",

[Matthew J Black]

Not sure if that'll work right but one option is you should be able to use
the generate function in the manifest to make an external call within the
puppetmaster to create the encrypted password. The downside is that its
going to execute every time, where it might be less of a performance hit to
cut and paste in the encrypted password into the manifest.

?

~pete

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.

[Peter Meier]

On 08/03/2011 04:44 PM, Matthew J Black wrote:
> Not sure if that'll work right but one option is you should be able to use
> the generate function in the manifest to make an external call within the
> puppetmaster to create the encrypted password. The downside is that its
> going to execute every time, where it might be less of a performance hit to
> cut and paste in the encrypted password into the manifest.

or you can use something like trocla to not even store the encrypted
password in the manifest:

https://github.com/duritong/trocla
https://github.com/duritong/puppet-trocla

~pete

[John Martin]

You can also use the ralsh command where the user is created as long
as puppet is installed. The command will spit out the complete user
dsl.

ralsh user student

Also, make sure the password is in single quotes so $ doesn't get
interpreted.

-John

[Eric Shamow]

Just a note - ralsh is also available from the puppet command line as "puppet resource."

-Eric

[Ohad Levy]

crypt might yield a different output depending on the c crypt lib, so
in theory it may not work across all os's.

Ohad
> ?
>
> ~pete

[Jamie]

Sorry, kinda late on this one, but seems some easy methods left out.

Use grub-md5-crypt
$ grub-md5-crypt
Password:
Retype password:
$1$nS12E0$nmw5cTWJLwW7KujMpApKh0 <-- PUT THE RESULT IN YOUR
MANIFEST

or use the openssl command
$ openssl passwd -1
Password:
Verifying - Password:
$1$SF8zTedH$rfFKDI1pS2ljMRP14tYTj0 <-- PUT THE RESULT IN YOUR
MANIFEST

[Derek J. Balling]

On Aug 2, 2011, at 8:35 PM, Len Rugen wrote:
> In puppet, passwd => "$6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710v1HMRmS5VnPbHZ2MwY96wt0",

Make sure to use single-quotes, or puppet will try to evaluate variables "$PVOar", "$WUTN", etc., etc.

D

[Michael Stahnke]

On Wed, Aug 3, 2011 at 3:13 AM, Ryan Conway <ryan....@forward.co.uk> wrote:
> One more thing - Puppet will fail to set the password unless the
> libshadow gem is present, as this is required to work with shadow
> passwords.

It doesn't have to be the gem. It can be anything that provides the
libraries (such as the ruby-shadow rpm package).