Re: [Puppet Users] Using variable for user password hash causes password updated each run.

6 views

Skip to first unread message

David Schmitt

unread,

Oct 19, 2018, 8:03:20 AM10/19/18

to puppet...@googlegroups.com

Check if the output of your script actually matches *exactly* the hash that gets written into the user. Whitespace, even a new line at the end, might confuse puppet here. If that's the problem, use https://forge.puppet.com/puppetlabs/stdlib#strip to fix that.

Cheers, DavidS

On Thu, Oct 18, 2018 at 7:23 PM James Perry <jjpe...@gmail.com> wrote:

I have been asked to set password for a user so it is unique on every single host we support. I have a script that generates the password and I had pulled it in via a generate call. The scripts takes in two of facter values to be used to aid in generating the password.

$myvar = generate("/bin/sh","myscript.sh"."value1","value2") user { 'bob': password => "${myvar}", }

This value is coming in as expected. When I pass it to the password => block it gets set as expected. Cool, but then it isn't.

Each time puppet runs for the host, it keeps changing the user's password hash even though the hash from the script is the same as that on the host. Even that could be acceptable, except, these hosts are audited for password changes. Root being shown as updated every puppet run fails the audit.

When I define it as a static hash aka '$1$salt$ab12k3oa01ksf01810' it doesn't keep resetting the password

Notice: Local environment: 'production' doesn't match server specified node environment 'passfix', switching agent to 'passfix'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for tlistmrrh511.myhost.net
Info: Applying configuration version '1539886469'
Notice: /Stage[main]/Users::mypassword/User[bob]/password: created password
Notice: Applied catalog in 4.52 seconds
[root@tlistmrrh511 ~]#
[root@tlistmrrh511 ~]# puppet agent -tv
Notice: Local environment: 'production' doesn't match server specified node environment 'passfix', switching agent to 'passfix'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for tlistmrrh511.myhost.net
Info: Applying configuration version '1539886484'
Notice: /Stage[main]/Users::myassword/User[bob]/password: created password
Notice: Applied catalog in 4.36 seconds

I have tried a number of ways to get this work inside puppet without using exec. Searching on this came up with creating custom facts to get the hash or hierra, which we don't use, to do this step. Having user hashes available as a fact won't pass an audit either. Basically this all needs to happen on the Puppet master and be pushed to all clients.

It seems that Puppet has a way to compare the old has with the new one when the hash is put between ' ', but I'm passing in a var.

I don't see any indication of why it is failing the comparrison. I have even set passwd => generate(... and it behaves the same way.

What am I doing wrong here? It is quite frustrating.

Thanks

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4bc322cd-c3bc-44fa-9c6a-1ccd6a778b81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.