updating user passwords with puppet

1,582 views
Skip to first unread message

Sebastian Krueger

unread,
Apr 2, 2009, 10:49:18 PM4/2/09
to puppet...@googlegroups.com
Hi guys,

I'm trying to update passwords in /etc/shadow with puppet.

I've installed the ruby lib shadow library and am using the following sample puppet syntax:

----
user { "seb":
        gid        => "30",
        ensure         => present,
        membership     => inclusive,
        groups         => [ "users" ],
        password     => "foofoo"
    }
---

result from /etc/shadow:

seb:foofoo:14336:0:99999:7:::

now the problem is, that the foofoo password is expected to be in encrypted form. Is there anyway to get "foofoo" password in encrypted form?

Cleartext: foofoo
Cypertext: ???

I've found references to mkpasswd, but this does not exist in SLES, and doesn't generate Blowfish passwords anyway. I've tried a variety of Perl one-liners, but can't seem to get the right combination.

Any help would be much appreciated.

Regards, Sebastian.

nick.ma...@gmail.com

unread,
Apr 3, 2009, 5:33:33 AM4/3/09
to puppet...@googlegroups.com
On Fri, 03 Apr 2009 02:49:18 -0000, Sebastian Krueger
<sebyk...@gmail.com> wrote:
Hi Sebastian, its my type of "any help")). I think that puppet developers
did right thing and we cant hold in puppet *.pp files clear passwords.
There is no place in system for clear passwords.
In your situation, i think, there is a way to make some script for hashing
not hashed passwords in *.pp. If you need some help with that - you are
wellcome.
Bye

Sebastian Krueger

unread,
Apr 2, 2009, 11:55:12 PM4/2/09
to puppet...@googlegroups.com
Yes, I don't want to store clear text passwords, I want to know to to encrypt passwords so that I can put the encrypted hash into the pp files.

Someone on the irc puppet channel showed me this command, which I'm currently using:

openssl passwd -1

this works for generating MD5 passwords, but not blowfish passwords.

If anyone knows how to generate blowfish passwords, I'd be keen to know how they do it.

Kind regards, Sebastian.

Helmut Lichtenberg

unread,
Apr 3, 2009, 2:03:11 AM4/3/09
to puppet...@googlegroups.com
Sebastian Krueger schrieb am 03. Apr 2009 um 05:55:12 CEST:
> If anyone knows how to generate blowfish passwords, I'd be keen to know how
> they do it.

There's a perl module Crypt::Blowfish, that might be of help for you.

Helmut

--
-------------------------------------------------------------------------
Helmut Lichtenberg <Helmut.Li...@fli.bund.de> Tel.: 05034/871-128
Institut für Nutztiergenetik (FLI) 31535 Neustadt Germany
-------------------------------------------------------------------------

Robin Lee Powell

unread,
Apr 3, 2009, 2:41:34 AM4/3/09
to puppet...@googlegroups.com
On Fri, Apr 03, 2009 at 03:49:18PM +1300, Sebastian Krueger wrote:
> now the problem is, that the foofoo password is expected to be in
> encrypted form. Is there anyway to get "foofoo" password in
> encrypted form?
>
> Cleartext: foofoo
> Cypertext: ???
>
> I've found references to mkpasswd, but this does not exist in
> SLES, and doesn't generate Blowfish passwords anyway. I've tried a
> variety of Perl one-liners, but can't seem to get the right
> combination.

Blowfish? I've never heard of anyone using that for passwords.
Standard Linux IME is md5.

mkpasswd *is* in fact the standard tool for this purpose, and it can
produce a variety of formats:

$ mkpasswd -m help
Available methods:
des standard 56 bit DES-based crypt(3)
md5 MD5
sha-256 SHA-256
sha-512 SHA-512

-Robin

--
They say: "The first AIs will be built by the military as weapons."
And I'm thinking: "Does it even occur to you to try for something
other than the default outcome?" -- http://shorl.com/tydruhedufogre
http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/

Martin Wheldon

unread,
Apr 3, 2009, 4:19:30 AM4/3/09
to puppet...@googlegroups.com
What I tend to do is change the password of the account I'm managing

# passwd user

then copy it from /etc/shadow into the manifest. But then we have very
few local user accounts.

Regards

Martin

Sebastian Krueger

unread,
Apr 4, 2009, 1:00:12 AM4/4/09
to puppet...@googlegroups.com
Blowfish is the standard for openSUSE since 9.3. And it's the standard since SLES 9 as well. It's way stronger than md5.

Benjamin Kite

unread,
Apr 5, 2009, 12:49:00 PM4/5/09
to Puppet Users

PHP usually uses the appropriate crypt system call for the system, so
whether it is DES, SMD5 or BLF, I believe you can reliably generate
hashed passwords like this:

echo "<? print crypt('foofoo'); ?>" | php

Also, in your manifest, you are using double-quotes (") to enclose the
password. You will want to make sure to use single-quotes ('), since
(at least) salted MD5 always contains the dollar-sign ($) character.


Trevor Vaughan

unread,
Apr 6, 2009, 6:43:53 AM4/6/09
to puppet...@googlegroups.com
Isn't Blowfish an encryption algorithm?

Passwords are based on one-way hashes such as SHA, or MD5.

Perhaps there is a mode for Blowfish for which I am not familiar, but
I think that you're looking for something that doesn't exist.

Trevor

Peter Meier

unread,
Apr 6, 2009, 9:53:01 AM4/6/09
to puppet...@googlegroups.com
Hi

> Isn't Blowfish an encryption algorithm?
>
> Passwords are based on one-way hashes such as SHA, or MD5.
>
> Perhaps there is a mode for Blowfish for which I am not familiar, but
> I think that you're looking for something that doesn't exist.

OpenBSD people implemented a blowfish password hashing code. Code for
ruby is contained in the bcrypt gem.

cheers Pete

Trevor Vaughan

unread,
Apr 6, 2009, 9:57:51 AM4/6/09
to puppet...@googlegroups.com
Interesting, this still seems...odd, but it should work, though I'm
still skeptical of using a cipher versus a true one-way hash.

Trevor

Thomas Bellman

unread,
Apr 6, 2009, 10:20:14 AM4/6/09
to puppet...@googlegroups.com
Trevor Vaughan wrote:

> Interesting, this still seems...odd, but it should work, though I'm
> still skeptical of using a cipher versus a true one-way hash.

The normal Unix crypt(3) method uses a variant of DES to make a one-way
hash. Basically, you use the password as the key to encrypt a constant
string. That's been used for 30 years or so, and the only real weakness
I can recall hearing about it is that the key is too short (8 characters,
and if you use anything longer, only the 8 first characters are used).


/Bellman

Reply all
Reply to author
Forward
0 new messages