Managing a User Password for Linux in Puppet

Managing a user password for linux in puppet

I had success (gist) with ruby's String#crypt method from within a Puppet parser function.

AFAICS it's using the crypt libc functions (see: info crypt), and takes the same arguments $n$[rounds=<m>$]salt, where n is the hashing function ($6 for SHA-512) and m is the number of key strengthening rounds (5000 by default).

Set default password management for users in puppet

In puppet, if you don't specify the password, it won't manage the password. If you specify a password, it ensures that value is placed in /etc/shadow. That value really should be an encrypted value. The double exclamation mark is the "not a password" value, and the account is then unable to be authenticated with a password.

How Do I Get Vagrant/Puppet To Add Linux Passwords Correctly?

That's because it's stored inside the /etc/shadow file. This is for security reasons as it is only accessible by the root/super user.

Escape the dollar signs in the hash like this and it should work.

exec { 'set password':
    command => "usermod -p '\$6\$ev8faya2\$M2pB3YQRpKUJMnJx6LnsyTbDdi.umsEEZttD01pk8ZSfMGrVmlnjoVhIHyuqYt3.yaG1SZjaoSxB39nNgFKb//' johnboy",
    require => User[johnboy];
}

Accessing password from a file in puppet for use in exec

There are two standard ways to achieve this given the route you prefer:

1. Use the file function. This is for masterless Puppet or the file is hosted on the Puppet Master.

   # using the module path instead of the absolute path would end up storing your secret in git, which is what you are trying to avoid
   $password = file('/absolute/path/to/.secret')
   
   exec { 'license-unity': 
     command     => "/opt/Unity/Editor/Unity -batchmode -nographics -serial A1-ABCD-1234-ETC -username my.user@a.b.ca -password $password -quit"
     subscribe   => Package['UnityEditor'],
     refreshonly => true,
   }
   

   Doc: https://puppet.com/docs/puppet/5.3/function.html#file

   Corollary: If you need to do some kind of parsing on the file, such as if it is more than a text file with the password inside, then you can use a custom function with the modern Ruby API. https://puppet.com/docs/puppet/5.3/functions_ruby_overview.html. Let me know if this is the case.

2. Use a custom fact. This is for storing the file on the client in a Master/Client setup. Using an external fact would also end up storing the secret in git, which would present the problem you are attempting to avoid.

   # module/lib/facter/password.rb
   Facter.add(:password) do
     setcode do
       File.read('/absolute/path/to/.secret')
     end
   end
   
   # manifest.pp
   exec { 'license-unity': 
     command     => "/opt/Unity/Editor/Unity -batchmode -nographics -serial A1-ABCD-1234-ETC -username my.user@a.b.ca -password $password -quit"
     subscribe   => Package['UnityEditor'],
     refreshonly => true,
   }
   

   Doc: https://puppet.com/docs/facter/3.9/custom_facts.html#configuring-facts

   Corollary: If you need to do some kind of parsing on the file, such as if it is more than a text file with the password inside, then you can use native Ruby classes and methods for that (i.e. JSON.parse or YAML.load_file if the file is in those formats).

Notable alternatives to the method you are pursuing include using Puppet to retrieve from a secrets management software, such as Vault, or using encryption/decryption algorithms, such as AES-256, to store the encrypted file in your SCM and then decrypt it during catalog compilation.

---

Related Topics