| The issue is macOS requires the salt to be a 32-byte value, see https://developer.apple.com/documentation/devicemanagement/passwordhash/salted-sha512-pbkdf2 It may be that earlier macOS versions didn't have this requirement  but at least 10.15 and up require 32-bytes. Puppet's user resource requires the value to be hex encoded (so it must be a string of length 64). For puppet, we should reject salt values whose length != 64 and if the value contains non-hex characters. Also update the description in https://github.com/puppetlabs/puppet/blob/79a6ffa87e540053f3a0f87240a996401e6bfe50/lib/puppet/type/user.rb#L224-L229 We should file a separate MODULES ticket to ensure the str2saltedpbkdf2 produces salt values that match those requirements, and update the documentation to show a valid salt. Also there's a typo in the module docs, it reference "interations" instead of "iterations". |
