Managing a user password for linux in puppet
I had success (gist) with ruby's String#crypt method from within a Puppet parser function.
AFAICS it's using the crypt libc functions (see: info crypt
), and takes the same arguments $n$[rounds=<m>$]salt
, where n is the hashing function ($6 for SHA-512) and m is the number of key strengthening rounds (5000 by default).
Set default password management for users in puppet
In puppet, if you don't specify the password, it won't manage the password. If you specify a password, it ensures that value is placed in /etc/shadow. That value really should be an encrypted value. The double exclamation mark is the "not a password" value, and the account is then unable to be authenticated with a password.
How Do I Get Vagrant/Puppet To Add Linux Passwords Correctly?
That's because it's stored inside the /etc/shadow file. This is for security reasons as it is only accessible by the root/super user.
Escape the dollar signs in the hash like this and it should work.
exec { 'set password':
command => "usermod -p '\$6\$ev8faya2\$M2pB3YQRpKUJMnJx6LnsyTbDdi.umsEEZttD01pk8ZSfMGrVmlnjoVhIHyuqYt3.yaG1SZjaoSxB39nNgFKb//' johnboy",
require => User[johnboy];
}
Accessing password from a file in puppet for use in exec
There are two standard ways to achieve this given the route you prefer:
Use the
file
function. This is for masterless Puppet or the file is hosted on the Puppet Master.# using the module path instead of the absolute path would end up storing your secret in git, which is what you are trying to avoid
$password = file('/absolute/path/to/.secret')
exec { 'license-unity':
command => "/opt/Unity/Editor/Unity -batchmode -nographics -serial A1-ABCD-1234-ETC -username my.user@a.b.ca -password $password -quit"
subscribe => Package['UnityEditor'],
refreshonly => true,
}Doc: https://puppet.com/docs/puppet/5.3/function.html#file
Corollary: If you need to do some kind of parsing on the file, such as if it is more than a text file with the password inside, then you can use a custom function with the modern Ruby API. https://puppet.com/docs/puppet/5.3/functions_ruby_overview.html. Let me know if this is the case.
Use a custom fact. This is for storing the file on the client in a Master/Client setup. Using an external fact would also end up storing the secret in git, which would present the problem you are attempting to avoid.
# module/lib/facter/password.rb
Facter.add(:password) do
setcode do
File.read('/absolute/path/to/.secret')
end
end
# manifest.pp
exec { 'license-unity':
command => "/opt/Unity/Editor/Unity -batchmode -nographics -serial A1-ABCD-1234-ETC -username my.user@a.b.ca -password $password -quit"
subscribe => Package['UnityEditor'],
refreshonly => true,
}Doc: https://puppet.com/docs/facter/3.9/custom_facts.html#configuring-facts
Corollary: If you need to do some kind of parsing on the file, such as if it is more than a text file with the password inside, then you can use native Ruby classes and methods for that (i.e.
JSON.parse
orYAML.load_file
if the file is in those formats).
Notable alternatives to the method you are pursuing include using Puppet to retrieve from a secrets management software, such as Vault, or using encryption/decryption algorithms, such as AES-256, to store the encrypted file in your SCM and then decrypt it during catalog compilation.
Related Topics
How to Get the First Column of Comm Output
Cmake Doesn't Know Where Is Qt4 Qmake
Bash: Add String to the End of the File Without Line Break
Stripping Single and Double Quotes in a String Using Bash/Standard Linux Commands Only
Understanding Bash Short-Circuiting
Bash File Is Running Fine in Windows for Testng But It Is Not Working in Linux/Mac
Why Does This Code Crash with Address Randomization On
Doesn't Sh Support Process Substitution <(...)
In Order to Write Pci Ethernet Driver. How to Implement Mmap in the Pci Ethernet Driver
Importing Shapefiles in Postgresql in Linux Using Pgadmin 4
Allocate Writable Memory in the .Text Section
How to Get a List of All Valid Ip Addresses in a Local Network
How to Convert Spaces to Tabs in Vim or Linux
How to List the Contents of a Package Using Yum
How to Send Data to Local Clipboard from a Remote Ssh Session
How to Perform Grep Operation on All Files in a Directory
Run a Shell Script from Docker-Compose Command, Inside the Container