Hey Christopher,
Thanks for the reply. I will give this a try this morning. As for your
question about why we want to mine it, we want to change the root password
in out password manager software, have that change the root password on the
puppet master, and then have puppet distribute the hash everywhere. It
makes it easy to keep a single root for all the systems we want it to
manage.
Thanks!
Rob
On Friday, June 22, 2012 6:13:19 PM UTC-4, Christopher Wood wrote:
> inline
>
> On Fri, Jun 22, 2012 at 02:42:54PM -0700, Rob B. wrote:
> > Hey all,
> >
> > My objective is to set the root password on the puppet master and
> then
> > have root module mine the hash from the shadow file. It seems like it
> > should work, but I get the error "Parameter password failed:
> Passwords
> > cannot include ':' at". I am not sure where it is seeing the ":".
> >
> > Any ideas?
> >
> > The manifest looks like this:
> > class root::linuxroot {
> > user { 'root':
> > ensure => 'present',
> > comment => 'root',
> > uid => '0',
> > gid => '0',
> > home => '/root',
> > password => generate("/pathtoscript/getlinuxhash.sh"),
> > shell => '/bin/bash',
> > }
> > }
> >
> > And the getlinuxhash.sh looks like this:
> > #!/bin/sh
> > HASHPASS=$(/bin/grep root /etc/shadow | /bin/awk -F ":" '{ print $2
> }')
> > echo "'"$HASHPASS"'"
>
> # facter | grep operatingsystem
> operatingsystem => Debian
> operatingsystemrelease => 6.0.5
> # /bin/grep root /etc/shadow | /bin/awk -F ":" '{ print $2 }'
> bash: /bin/awk: No such file or directory
>
> You're probably fine with not using the full paths there, unless you are
> either on a single system type and/or templating getlinuxhash.sh.
>
> "'"$HASHPASS"'"
>
> That is likely interpreted as:
>
> "'" <--- a string
> $HASHPASS <--- substituted
> "'" <--- a string
>
> When I run your whole script without the full paths:
>
> # cat /tmp/22
> #!/bin/sh
> HASHPASS=$(grep root /etc/shadow | awk -F ":" '{ print $2 }')
> echo "'"$HASHPASS"'"
> # bash /tmp/22
> '$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9bASyGcFTxomYSalcryFp5QsKrNJSOmPsG4NNNOZRSZS4S3aRwMD3iza03ORDTxlaq0'
>
>
>
> Since the password hash should start with $6$, it looks like you're
> returning the quotes too, which is an incorrect password hash.
>
> # cat /tmp/1.pp
> file { '/tmp/cw1':
> content => generate('/tmp/22')
> }
> # puppet apply /tmp/1.pp
> notice: /Stage[main]//File[/tmp/cw1]/ensure: defined content as
> '{md5}3f4302ca8a8c24301c265fdc5345f341'
> # cat /tmp/cw1
> '$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9BASyGcFTxomYSal4ryFp5AsKrNJSOmPsG4NNNOZRSZh4S3aRwMD3iza03ORDTelaq0'
>
>
>
> Possibly try this for your generator? The -n is because I'm not certain if
> puppet will keep the trailing newline as part of the hash.
>
> #!/bin/sh
> HASHPASS=$(grep root /etc/shadow | awk -F: '{print $2}')
> echo -n "$HASHPASS"
>
> Also, why mine the password rather than provision it from your puppet
> manifests better hiera? That way you get more than one root password.
>
> >
> > --
> > You received this message because you are subscribed to the Google
> Groups
> > "Puppet Users" group.
> > To view this discussion on the web visit
> > [1]https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscr...@googlegroups.com.
> > For more options, visit this group at
> > http://groups.google.com/group/puppet-users?hl=en.
> >
> > References
> >
> > Visible links
> > 1. https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/c8T9SpVwjOcJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
