What is the hash_password setting used for?

[Danny Nessett]

I don't understand the effect of setting hash_password to true. In the documentation for salt.states.user, the password setting stipulates that it should contain the hash of the password. If that is the case, what is the effect of hash_password?

[ende...@gmail.com]

Assuming you are talking about the user state my reading is that the default value of false will cause salt to assume that the password is already a hash and can be installed into /etc/shadow as-is.  Alternatively if you set hash_password to true salt will treat it as a plain-text password and it will hash it prior to putting it into /etc/shadow.  For security reasons storing/distributing the already-hashed password is preferable hence why it is the default.  If however you end up in a situation where you really want the password to appear in plain text (e.g. to document somewhere what it is) you can (but really you probably shouldn't).

some_user:

  user.present:

    # $ mkpasswd -m sha-256 "look-ma-my-password-in-plain-text" "somesalt"

    # $5$somesalt$90WbN9mBC3iA9YXYOoU8o2FVkHtTFqixIzFkUdkL3X8

    - password: $5$somesalt$90WbN9mBC3iA9YXYOoU8o2FVkHtTFqixIzFkUdkL3X8

    - hash_password: False

some_other_user:

  user.present:

    - password: look-ma-my-password-in-plain-text

    - hash_password: True

I'll admit that the documentation would benefit from mentioning that the password argument may be a clear text password if one sets hash_password to True.  

[Danny Nessett]

Thanks.