Workaround for user password hash

[zerozer...@gmail.com]

Hi,

I suppose it will be useful if I share a workaround I just found for a problem I encountered.

I needed a "user" puppet resource to add a user and set its password, on CentOS 6.4.

The manifest was applied with no errors, but the password was not set correctly.

I tried:

  password => sha1("password")

and some hash was set for the user password, but it was not the right one, I could not log in.

I then tried directly setting the hash I got from "openssl passwd -1 password":

  password => "$1$RCxCmL.x$MRHrLKqYpha19ERGC/5FQ/"

but only part of the hash ended up in /etc/shadow, e.g. in this case ".x/5FQ/".

By searching on Google I found reports of very similar problems, but the output and fixes were different, mostly regarding a required ruby library (ruby-libshadow) which AFAICT I already had installed.

I eventually spotted the problem was with "$" signs, so I tried escaping them:

  password => "\$1\$RCxCmL.x\$MRHrLKqYpha19ERGC/5FQ/"

and it finally works!

Thinking about it, it appears logical: strings enclosed in double quotes allow for variable interpolation, so anything following a $ up to another special char like a dot or a slash was expected to be a variable, but its value was empty.

HTH someone else when googling.

Marco

PS: what's the problem with sha1()? I don't care about the password being in clear text in the manifest, BTW.

[Chuck Anderson]

On Wed, Feb 05, 2014 at 09:48:59AM -0800, zerozer...@gmail.com wrote:
> I needed a "user" puppet resource to add a user and set its password, on
> CentOS 6.4.
> The manifest was applied with no errors, but the password was not set
> correctly.
>
> I tried:
>
> password => sha1("password")
>
> and some hash was set for the user password, but it was not the right one,
> I could not log in.

I think that wouldn't work because it doesn't create a salt or the
proper format in /etc/shadow of $<pwtype>$salt$hash.

> I then tried directly setting the hash I got from "openssl passwd -1
> password":
>
> password => "$1$RCxCmL.x$MRHrLKqYpha19ERGC/5FQ/"
>
> but only part of the hash ended up in /etc/shadow, e.g. in this case
> ".x/5FQ/".

Use single quotes rather than double quotes so the $ aren't
interpolated as variables:

password => '$1$RCxCmL.x$MRHrLKqYpha19ERGC/5FQ/'

> PS: what's the problem with sha1()? I don't care about the password being
> in clear text in the manifest, BTW.

It just creates a raw SHA1 hash without the required format including
the hash type field and salt field.

[Jeremy T. Bouse]

I believe Chuck is on the right path.. Just from a simple test
(https://gist.github.com/jbouse/8830543) this shows that using the
double quotes is incorrect.

[Brian Mathis]

It's far more than just simple formatting.  Passwords are stored using "crypt" functions, with the original one using DES, then we moved on to MD5 and SHA.  The cryptographic portions (MD5, SHA1, etc...) are only PART of the algorithm, which also includes salting, multiple iterations, etc...

There is nothing wrong with the sha1() function, it's just being used incorrectly.

❧ Brian Mathis

[zerozer...@gmail.com]

On Wednesday, February 5, 2014 7:25:53 PM UTC+1, Chuck Anderson wrote:

 

Use single quotes rather than double quotes so the $ aren't
interpolated as variables:

But if you are accustomed to using double quotes around strings, you might prefer using them here too, for consistency.

Just be sure you escape the $'s.

What's more, the results I got when trying from a single command line were confusing.

I did expect this to work:

> puppet apply -e "user { 'testuser': password => '$1$RCxCmL.x$MRHrLKqYpha19ERGC/5FQ/' }"

But it had the same problem.

And for some reason bash did not interpret the following alternative version as I expected it to:

> puppet apply -e 'user { \'testuser\': password => \'$1$RCxCmL.x$MRHrLKqYpha19ERGC/5FQ/\' }'

Marco

[zerozer...@gmail.com]

On Wednesday, February 5, 2014 7:57:01 PM UTC+1, Jeremy wrote:

 

I believe Chuck is on the right path.. Just from a simple test
(https://gist.github.com/jbouse/8830543) this shows that using the
double quotes is incorrect. 

Well… it's not "incorrect": you _can_ use double quotes. You just have to pay attention to variable interpolation:

http://docs.puppetlabs.com/learning/manifests.html#syntax-hints

Your sample puppet-lint output only shows warnings, not syntax errors.

Marco

[zerozer...@gmail.com]

On Wednesday, February 5, 2014 8:31:21 PM UTC+1, Brian Mathis wrote:

 

There is nothing wrong with the sha1() function, it's just being used incorrectly.

Just for the record, what would be the correct way to use it for this purpose?

I think it could be an interesting topic: when searching for solutions to my problem I found various old threads dealing with this issue, but no different ways of using sha1().

Someone even suggests the plain non-working way, e.g.:

https://groups.google.com/forum/#!topic/puppet-users/gXpt-YjROMw

Thanks.

Marco

[Felix Frank]

Heh, well the thing with single quotes is - those will make *all*
characters be interpreted literally, including the backslashes.

So it's pretty hard to include a single quote in a single quoted string.
You end up with pretties like

echo 'It'"'"'s working!'

Though I may be missing a popular workaround I'm not aware of ;-)

Cheers,
Felix

[zerozer...@gmail.com]

On Thursday, February 6, 2014 11:15:04 AM UTC+1, Felix.Frank wrote:

Heh, well the thing with single quotes is - those will make *all*
characters be interpreted literally, including the backslashes.

Uhm… according to

<http://docs.puppetlabs.com/puppet/latest/reference/lang_datatypes.html#single-quoted-strings> the "backslash-single quote" sequence is a permitted escape sequence inside single quotes, and should be interpreted as a single quote.

But it doesn't work in my command line.

Not even using double backslashes works.

Marco

[Chuck Anderson]

The shell has its own rules about quoting.

[Peter Meier]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I suppose it will be useful if I share a workaround I just found
> for a problem I encountered.
>
> I needed a "user" puppet resource to add a user and set its
> password, on CentOS 6.4. The manifest was applied with no errors,
> but the password was not set correctly.

Shameless plug: If you care about passwords in manifests, then for
password management there is also trocla:

https://github.com/duritong/trocla

With the matching module: http://forge.puppetlabs.com/duritong/trocla


~Pete
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLzu+8ACgkQbwltcAfKi3/nzQCfWcF2UfNgxlB2QjlnWFzZ3R1b
6H4An3TDLM6b5Mpysxze/VhUO6eq+bMo
=IPar
-----END PGP SIGNATURE-----

[Brian Mathis]

There is no correct way to use it for this purpose.

If you want to get an idea of what is involved in creating a password from plaintext, take a look here (Java code):

    ftp://ftp.arlut.utexas.edu/pub/java_hashes/Sha256Crypt.java

To do this in Puppet, you'd probably have to write some Ruby code as a module or patch to Puppet -- not really sure.

Incidentally, password fields in Linux do not use SHA1, it's either SHA256 or SHA512, used within this type of algorithm.

❧ Brian Mathis