Creating Users and Hashing it's password.
11,164 views
Skip to first unread message
vella1tj
Jun 8, 2011, 3:08:36 PM6/8/11
to Puppet Users
Hi everyone I would like to first of all say thanks to anyone willing
to help me.
I was tasked with creating a Admin account using puppet to push to all
of our Macs that we have deployed around the Campus.
user {'sysop':
#uid => 500,
#groups => 'admin',
comment => 'Sysop',
ensure => present,
home => '/home/sysop',
shell => '/bin/bash',
managehome => true,
password => 'Haven't figured out the best way to hash
a password and put it in here.,
}
That's what I have so far, I don't believe I understand how Hash works
completely. The way I understand it is it will have a hash in the
password field and it will compare it to other hashes to match what
the password would be. So what I was hoping to get help on (or
anything i've done wrong or you would recommend me doing different) is
how do i set a resource for the hash do i put it in my files directory
and then point it to there.... is there anything special I have to do
so puppet understands that it's hash.
to help me.
I was tasked with creating a Admin account using puppet to push to all
of our Macs that we have deployed around the Campus.
user {'sysop':
#uid => 500,
#groups => 'admin',
comment => 'Sysop',
ensure => present,
home => '/home/sysop',
shell => '/bin/bash',
managehome => true,
password => 'Haven't figured out the best way to hash
a password and put it in here.,
}
That's what I have so far, I don't believe I understand how Hash works
completely. The way I understand it is it will have a hash in the
password field and it will compare it to other hashes to match what
the password would be. So what I was hoping to get help on (or
anything i've done wrong or you would recommend me doing different) is
how do i set a resource for the hash do i put it in my files directory
and then point it to there.... is there anything special I have to do
so puppet understands that it's hash.
Nathan Clemons
Jun 8, 2011, 3:12:16 PM6/8/11
to puppet...@googlegroups.com
What I do is set the password on one host, and then copy the hash out of /etc/shadow into the Puppet definition to be set on the other hosts.
By default the Puppet providers expect that the password field will be hashed as used on the system, not plaintext.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
vella1tj
Jun 8, 2011, 3:18:33 PM6/8/11
to Puppet Users
so If I changed it to
}
Hash being the hash from /etc/shadow that would be all I needed?
On Jun 8, 3:12 pm, Nathan Clemons <nat...@livemocha.com> wrote:
> What I do is set the password on one host, and then copy the hash out of
> /etc/shadow into the Puppet definition to be set on the other hosts.
>
> By default the Puppet providers expect that the password field will be
> hashed as used on the system, not plaintext.
>
> --
> Nathan Clemonshttp://www.livemocha.com
user {'sysop':
#uid => 500,
#groups => 'admin',
comment => 'Sysop',
ensure => present,
home => '/home/sysop',
shell => '/bin/bash',
managehome => true,
password => "Hash"
#uid => 500,
#groups => 'admin',
comment => 'Sysop',
ensure => present,
home => '/home/sysop',
shell => '/bin/bash',
managehome => true,
}
Hash being the hash from /etc/shadow that would be all I needed?
On Jun 8, 3:12 pm, Nathan Clemons <nat...@livemocha.com> wrote:
> What I do is set the password on one host, and then copy the hash out of
> /etc/shadow into the Puppet definition to be set on the other hosts.
>
> By default the Puppet providers expect that the password field will be
> hashed as used on the system, not plaintext.
>
> --
Denmat
Jun 8, 2011, 5:11:56 PM6/8/11
to puppet...@googlegroups.com
Hi,
If your password hash has any $ in it the "..." will puppet make try to expand it.
You need password => '$1$effggfdg....' (single quotes).
cheers,
Den
Nigel Kersten
Jun 8, 2011, 5:38:12 PM6/8/11
to puppet...@googlegroups.com
On Wed, Jun 8, 2011 at 2:11 PM, Denmat <tu2b...@gmail.com> wrote:
Hi,
If your password hash has any $ in it the "..." will puppet make try to expand it.
You need password => '$1$effggfdg....' (single quotes).
I like using puppet resource for this.
Set the password for an account, and use puppet resource to generate the manifest, removing the attributes you don't want to manage.
user { 'nigel':
ensure => 'present',
comment => 'nigel,,,',
gid => '1000',
groups => ['dialout', 'cdrom', 'floppy', 'audio', 'video', 'plugdev'],
home => '/home/nigel',
password => '$6$fPUohVXH$bYZY38RJIKKUK9fF6U/taOZfOwFdRoBnRkZOV71lGIWVMj96nOwWOAMp5EGbfJUjbrnHP/EvszbRkZgWYRkL3.',
password_max_age => '99999',
password_min_age => '0',
shell => '/bin/bash',
uid => '1000',
}
That's a test account. The password is trivial enough that you can probably crack it :)
--
Nigel Kersten
Product, Puppet Labs
@nigelkersten
Nigel Kersten
Jun 8, 2011, 5:38:29 PM6/8/11
to puppet...@googlegroups.com
On Wed, Jun 8, 2011 at 2:38 PM, Nigel Kersten <ni...@puppetlabs.com> wrote:
On Wed, Jun 8, 2011 at 2:11 PM, Denmat <tu2b...@gmail.com> wrote:Hi,
If your password hash has any $ in it the "..." will puppet make try to expand it.
You need password => '$1$effggfdg....' (single quotes).I like using puppet resource for this.Set the password for an account, and use puppet resource to generate the manifest, removing the attributes you don't want to manage.
I forgot to show the actual command:
$ puppet resource user nigel
vella1tj
Jun 9, 2011, 8:34:30 AM6/9/11
to Puppet Users
Thank you all for the quick responses I really do appreciate it, you
guys are awesome!!!
On Jun 8, 5:38 pm, Nigel Kersten <ni...@puppetlabs.com> wrote:
> On Wed, Jun 8, 2011 at 2:38 PM, Nigel Kersten <ni...@puppetlabs.com> wrote:
>
guys are awesome!!!
On Jun 8, 5:38 pm, Nigel Kersten <ni...@puppetlabs.com> wrote:
> On Wed, Jun 8, 2011 at 2:38 PM, Nigel Kersten <ni...@puppetlabs.com> wrote:
>
> > On Wed, Jun 8, 2011 at 2:11 PM, Denmat <tu2bg...@gmail.com> wrote:
>
> >> Hi,
>
> >> If your password hash has any $ in it the "..." will puppet make try to
> >> expand it.
>
> >> You need password => '$1$effggfdg....' (single quotes).
>
> > I like using puppet resource for this.
>
> > Set the password for an account, and use puppet resource to generate the
> > manifest, removing the attributes you don't want to manage.
>
> I forgot to show the actual command:
>
> $ puppet resource user nigel
>
>
>
>
>
>
>
>
>
>
>
> > user { 'nigel':
> > ensure => 'present',
> > comment => 'nigel,,,',
> > gid => '1000',
> > groups => ['dialout', 'cdrom', 'floppy', 'audio', 'video',
> > 'plugdev'],
> > home => '/home/nigel',
> > password =>
> > '$6$fPUohVXH$bYZY38RJIKKUK9fF6U/taOZfOwFdRoBnRkZOV71lGIWVMj96nOwWOAMp5EGbfJ UjbrnHP/EvszbRkZgWYRkL3.',
>
> >> Hi,
>
> >> If your password hash has any $ in it the "..." will puppet make try to
> >> expand it.
>
> >> You need password => '$1$effggfdg....' (single quotes).
>
> > I like using puppet resource for this.
>
> > Set the password for an account, and use puppet resource to generate the
> > manifest, removing the attributes you don't want to manage.
>
> I forgot to show the actual command:
>
> $ puppet resource user nigel
>
>
>
>
>
>
>
>
>
>
>
> > user { 'nigel':
> > ensure => 'present',
> > comment => 'nigel,,,',
> > gid => '1000',
> > groups => ['dialout', 'cdrom', 'floppy', 'audio', 'video',
> > 'plugdev'],
> > home => '/home/nigel',
> > password =>
> > password_max_age => '99999',
> > password_min_age => '0',
> > shell => '/bin/bash',
> > uid => '1000',
> > }
>
> > That's a test account. The password is trivial enough that you can probably
> > crack it :)
>
> >> cheers,
> >> Den
> > password_min_age => '0',
> > shell => '/bin/bash',
> > uid => '1000',
> > }
>
> > That's a test account. The password is trivial enough that you can probably
> > crack it :)
>
> >> cheers,
> >> Den
Alexandre Martani
Jun 12, 2011, 1:42:21 PM6/12/11
to puppet...@googlegroups.com
On Ubuntu/Debian, you can generate the hash using:
mkpasswd -m sha-512
I don't know if it works on Mac, but the output of it looks like the same as the examples posted on this topic, so I think it should work.
mkpasswd -m sha-512
I don't know if it works on Mac, but the output of it looks like the same as the examples posted on this topic, so I think it should work.
Nigel Kersten
Jun 13, 2011, 9:56:49 AM6/13/11
to puppet...@googlegroups.com
Mac OS X has a more complex password hash with required zero padding that is rather annoying.
user { 'demo':
ensure => 'present',
comment => 'demo',
gid => '20',
home => '/Users/demo',
password => '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000E2FA8B0FC9EEEE8C9C3D20C346F59145BAF0BBF2352709CF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000',
shell => '/bin/bash',
uid => '502',
}
Told you it was annoying :)
vella1tj
Jun 13, 2011, 2:57:20 PM6/13/11
to Puppet Users
Yep, I figured it out thanks to you guys. Now it's just getting that
darn home folder to get created:) Again thanks for the replies you
guys are awesome.
On Jun 13, 9:56 am, Nigel Kersten <ni...@puppetlabs.com> wrote:
> '00000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000E2FA8B0FC9EEEE8C9C3D20C346F59145BAF0BBF2352709CF00000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000',
darn home folder to get created:) Again thanks for the replies you
guys are awesome.
On Jun 13, 9:56 am, Nigel Kersten <ni...@puppetlabs.com> wrote:
Joey Stevense
Jul 25, 2013, 7:12:34 AM7/25/13
to puppet...@googlegroups.com, vell...@gmail.com
You could also use the built in sha1 function to let puppet generate the hashed version for you.
Like this:
user {'sysop':
#uid => 500,
#groups => 'admin',
comment => 'Sysop',
ensure => present,
home => '/home/sysop',
shell => '/bin/bash',
managehome => true,
#uid => 500,
#groups => 'admin',
comment => 'Sysop',
ensure => present,
home => '/home/sysop',
shell => '/bin/bash',
managehome => true,
password => sha1('plaintextpasswordhere'),
Vinay Korapati
Feb 17, 2017, 11:41:17 AM2/17/17
to Puppet Users, vell...@gmail.com
password => sha1('your password')
Reply all
Reply to author
Forward
0 new messages