Passwords vs Password Hashes in User Providers
Nigel Kersten
provider, which we haven't been using for user resources on the Mac
for various reasons that I'm hoping to address.
One thing struck me, which is that it's undesirable to have the same
attribute "password" to manage hashes and cleartext passwords in
puppet manifests.
(the docs at http://reductivelabs.com/trac/puppet/wiki/TypeReference#id222
could do with some updating once I'm sure which providers use clear
text and which use a hash for the password)
so if I have it right, these providers can manage passwords
netinfo: clear text
directoryservice: clear text
ldap: clear text
useradd: hash
user_role_add: hash
With the refactoring I'm working on for the directoryservice provider,
we could easily have the choice of *either* a hash or a clear text
password, and I imagine we could do the same thing with some of the
other providers.
Anyway, comments? Am I the only one bothered by this? I think I see
three main options:
a) Make the password attribute hash only, create another attribute for
clear text
b) Make the password attribute clear only, create another attribute for hashes
c) Leave the attribute alone for legacy reasons, create two new
attributes for the hash and clear text password types.
a) is possibly problematic for ldap ?
b) isn't feasible for all providers
c) is kind of ugly but perhaps more explicit.
--
Nigel Kersten
Systems Administrator
Tech Lead - MacOps
Luke Kanies
>
> So I've been doing some work on the directoryservice nameservice
> provider, which we haven't been using for user resources on the Mac
> for various reasons that I'm hoping to address.
>
> One thing struck me, which is that it's undesirable to have the same
> attribute "password" to manage hashes and cleartext passwords in
> puppet manifests.
I completely agree.
>
> (the docs at http://reductivelabs.com/trac/puppet/wiki/TypeReference#id222
> could do with some updating once I'm sure which providers use clear
> text and which use a hash for the password)
>
> so if I have it right, these providers can manage passwords
>
> netinfo: clear text
> directoryservice: clear text
> ldap: clear text
> useradd: hash
> user_role_add: hash
Huh. I had no idea that netinfo and directoryservice managed clear-
text passwords. I knew ldap could, but you can also specify a hash as
long as you include the hashing method, e.g., '{md5}asdfweqradfs'.
Not consistent behaviour with useradd, I know, but you're kind of
stuck there anyway since lots of *nix platforms don't support the same
hashing functions anyway.
>
> With the refactoring I'm working on for the directoryservice provider,
> we could easily have the choice of *either* a hash or a clear text
> password, and I imagine we could do the same thing with some of the
> other providers.
>
> Anyway, comments? Am I the only one bothered by this? I think I see
> three main options:
>
> a) Make the password attribute hash only, create another attribute for
> clear text
> b) Make the password attribute clear only, create another attribute
> for hashes
> c) Leave the attribute alone for legacy reasons, create two new
> attributes for the hash and clear text password types.
>
> a) is possibly problematic for ldap ?
> b) isn't feasible for all providers
> c) is kind of ugly but perhaps more explicit.
I don't think Puppet should ever use clear-text passwords, really. It
puts a bit more of a burden on the user, but it takes a significant
security burden off of Puppet.
If you must have clear-text passwords, I'd either recommend a
different attribute, or recommend following the ldap method -- if the
password doesn't have a hash method specified in braces, then it's
cleartext, otherwise it's hashed as specified. This would allow some
ability to handle cross-platform support -- a given provider might
know which platforms support which hash methods, so it could either
fail intelligently, or choose from a list of provided hash
mechanisms. Of course, that starts to suck as you increase the number
of hashed passwords, such that you want cleartext passwords and have
Puppet hash for you, but...
--
The most overlooked advantage to owning a computer is that if they foul
up there's no law against wacking them around a little. -- Joe Martin
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
Nigel Kersten
> Huh. I had no idea that netinfo and directoryservice managed clear-
> text passwords. I knew ldap could, but you can also specify a hash as
> long as you include the hashing method, e.g., '{md5}asdfweqradfs'.
> Not consistent behaviour with useradd, I know, but you're kind of
> stuck there anyway since lots of *nix platforms don't support the same
> hashing functions anyway.
Yep.
> I don't think Puppet should ever use clear-text passwords, really. It
> puts a bit more of a burden on the user, but it takes a significant
> security burden off of Puppet.
I'm glad you feel that way, and I think it's absolutely the correct approach.
>
> If you must have clear-text passwords, I'd either recommend a
> different attribute, or recommend following the ldap method -- if the
> password doesn't have a hash method specified in braces, then it's
> cleartext, otherwise it's hashed as specified. This would allow some
> ability to handle cross-platform support -- a given provider might
> know which platforms support which hash methods, so it could either
> fail intelligently, or choose from a list of provided hash
> mechanisms. Of course, that starts to suck as you increase the number
> of hashed passwords, such that you want cleartext passwords and have
> Puppet hash for you, but...
ok. So in that case, I might poll the puppet-users list to see who is
currently using clear text passwords with directoryservice, as netinfo
really should be completely deprecated given that directoryservice can
handle all OS X netinfo stores.
I'd be perfectly happy for directoryservice to no longer use clear
text passwords at all myself. We could go and make a "{macshadow}"
prefix for OS X passwords I guess, but that seems a bit clunky.
I notice that a few people are using server-side generate functions
for hash generation, which is another option.
Perhaps that's the better approach to take, in that we provide some
generate functions on the puppet wiki (or in the distro) for the
various password hash types.
Luke Kanies
> [...]
> ok. So in that case, I might poll the puppet-users list to see who is
> currently using clear text passwords with directoryservice, as netinfo
> really should be completely deprecated given that directoryservice can
> handle all OS X netinfo stores.
That sounds good.
>
> I'd be perfectly happy for directoryservice to no longer use clear
> text passwords at all myself. We could go and make a "{macshadow}"
> prefix for OS X passwords I guess, but that seems a bit clunky.
>
> I notice that a few people are using server-side generate functions
> for hash generation, which is another option.
Yeah -- it's also a good way to get your passwords from an external
data store without ever storing them in your manifest.
>
> Perhaps that's the better approach to take, in that we provide some
> generate functions on the puppet wiki (or in the distro) for the
> various password hash types.
Seems like a good idea -- having md5 and crypt functions would be a
good start.
--
Once...in the wilds of Afghanistan, I lost my corkscrew, and we were
forced to live on nothing but food and water for days. -- W. C. Fields