Re: [Puppet Users] Using generate() to mine a shadow file hash

[Christopher Wood]

inline

On Fri, Jun 22, 2012 at 02:42:54PM -0700, Rob B. wrote:
> Hey all,
>  
> My objective is to set the root password on the puppet master and then
> have root module mine the hash from the shadow file. It seems like it
> should work, but I get the error "Parameter password failed: Passwords
> cannot include ':' at". I am not sure where it is seeing the ":".
>  
> Any ideas?
>  
> The manifest looks like this:
> class root::linuxroot {
>   user { 'root':
>     ensure           => 'present',
>     comment          => 'root',
>     uid              => '0',
>     gid              => '0',
>     home             => '/root',
>     password         => generate("/pathtoscript/getlinuxhash.sh"),
>     shell            => '/bin/bash',
>   }
> }
>  
> And the getlinuxhash.sh looks like this:
> #!/bin/sh
> HASHPASS=$(/bin/grep root /etc/shadow | /bin/awk -F ":" '{ print $2 }')
> echo "'"$HASHPASS"'"

# facter | grep operatingsystem
operatingsystem => Debian
operatingsystemrelease => 6.0.5
# /bin/grep root /etc/shadow | /bin/awk -F ":" '{ print $2 }'
bash: /bin/awk: No such file or directory

You're probably fine with not using the full paths there, unless you are either on a single system type and/or templating getlinuxhash.sh.

"'"$HASHPASS"'"

That is likely interpreted as:

"'" <--- a string
$HASHPASS <--- substituted
"'" <--- a string

When I run your whole script without the full paths:

# cat /tmp/22
#!/bin/sh
HASHPASS=$(grep root /etc/shadow | awk -F ":" '{ print $2 }')
echo "'"$HASHPASS"'"
# bash /tmp/22
'$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9bASyGcFTxomYSalcryFp5QsKrNJSOmPsG4NNNOZRSZS4S3aRwMD3iza03ORDTxlaq0'

Since the password hash should start with $6$, it looks like you're returning the quotes too, which is an incorrect password hash.

# cat /tmp/1.pp
file { '/tmp/cw1':
content => generate('/tmp/22')
}
# puppet apply /tmp/1.pp
notice: /Stage[main]//File[/tmp/cw1]/ensure: defined content as '{md5}3f4302ca8a8c24301c265fdc5345f341'
# cat /tmp/cw1
'$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9BASyGcFTxomYSal4ryFp5AsKrNJSOmPsG4NNNOZRSZh4S3aRwMD3iza03ORDTelaq0'

Possibly try this for your generator? The -n is because I'm not certain if puppet will keep the trailing newline as part of the hash.

#!/bin/sh
HASHPASS=$(grep root /etc/shadow | awk -F: '{print $2}')
echo -n "$HASHPASS"

Also, why mine the password rather than provision it from your puppet manifests better hiera? That way you get more than one root password.

>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> [1]https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> References
>
> Visible links
> 1. https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ

[Rob B.]

Hey Christopher,

 

Thanks for the reply.  I will give this a try this morning. As for your question about why we want to mine it, we want to change the root password in out password manager software, have that change the root password on the puppet master, and then have puppet distribute the hash everywhere. It makes it easy to keep a single root for all the systems we want it to manage.

 

Thanks!

Rob

>    puppet-users+unsubscribe@googlegroups.com.

[R.I.Pienaar]

----- Original Message -----
> From: "Rob B." <rben...@gmail.com>
> To: puppet...@googlegroups.com
> Sent: Monday, June 25, 2012 2:52:51 PM
> Subject: Re: [Puppet Users] Using generate() to mine a shadow file hash
>
>
> Hey Christopher,
>
> Thanks for the reply. I will give this a try this morning. As for
> your question about why we want to mine it, we want to change the
> root password in out password manager software, have that change the
> root password on the puppet master, and then have puppet distribute
> the hash everywhere. It makes it easy to keep a single root for all
> the systems we want it to manage.

quite sure this wont work, the puppet master does not run as root and so
your generate wont have access to read shadow file.

[R.I.Pienaar]

you could use sudo of course, but it doesnt seem like a great idea :)

[Felix Frank]

>> quite sure this wont work, the puppet master does not run as root and
>> so your generate wont have access to read shadow file.
>>
> you could use sudo of course, but it doesnt seem like a great idea :)

Sounds right enough. Though if you're being generous with the hash of
that one root password for each last of your boxen (this strikes me at
not the most secure of concepts), you can go all the way and make it a
custom fact that the agent *on* your puppet master (or any other node
you declare seed for the root password) presents to the puppet master
for redistribution.

Also, some wear leveling of your precios grep binary (either in
generate+sudo or a fact):

awk -F: '$1 == "root" { print $2 }' /etc/shadow

;-)

(Also, protection from various possible occurences of the string "root"
in your shadow file.)

[Rob B.]

I suppose I could use a cron to pull out the hash and put it into a file to be read by puppet.

[John Lyman]

This would be fairly easy from cron by running 'puppet resource user root > some.pp'.

It would be even better if your password manager could trigger the command to run only when the password has changed.

[Robert Bencale]

Hey John,

 

It doesnt give the password section.

 

Thanks!

Rob

--

You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/i1EhG8PI6y4J.

To post to this group, send email to puppet...@googlegroups.com.

To unsubscribe from this group, send email to puppet-users...@googlegroups.com.

[John Lyman]

It does for me, but I am running as root.  Maybe that is the difference.  Or maybe your user provider doesn't manage_passwords?

[Robert Bencale]

hmmm I am also running as root, but do get the password hash. Any ideas?

--

You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/h3xVcEwXq5cJ.

[Felix Frank]

On 06/27/2012 06:40 PM, Robert Bencale wrote:
> hmmm I am also running as root, but do get the password hash. Any ideas?

Yes, actually. Do you have librubyshadow installed?

[Robert Bencale]

I have the rpm ruby-shadow-1.4.1-7.el5 installed.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.