Hello,
Glad to hear that you got it to work.
Before you put this into production, please make sure you don't re-use the same
salt value. Try to randomize it. Something like
seeded_rand_string(16,strftime("%s%L")) may work.
-----Original message-----
From: jmp242 <[email protected]>
Sent: Friday 15th November 2019 15:31
To: Puppet Users <[email protected]>
Subject: Re: [Puppet Users] Managing a local users password with puppet on EL7
I figured it out. Thanks for the help. It's because I wasn't doing I
password => pw_hash('password', 'SHA-512', 'mysalt'),
I was doing
Sensitive(pw_hash('$password', 'SHA-512', 'oursalt')),
And because I used single quotes, it wasn't actually getting the parameter /
variable, but the literal $password. Remove the quotes entirely because it's
just a variable, and it works!
And this is why you can't always just copy -> paste -> edit your stuff in!.
On Friday, November 15, 2019 at 8:55:57 AM UTC-5, Bart-Jan Vrielink wrote:
Hello,
I'm still puzzled by why this is not working on your system. The following
works for me on a Centos7 machine:
user { 'testuser':
ensure => 'present',
password => pw_hash('password', 'SHA-512', 'mysalt'),
}
-----Original message-----
From: jmp242 <[email protected]>
Sent: Friday 15th November 2019 14:41
To: Puppet Users <[email protected]>
Subject: Re: [Puppet Users] Managing a local users password with puppet on EL7
So, I set the password manually with passwd and got an entirely different hash
than when I use the pw_hash function. The salt is obviously different as well,
but the rest of /etc/shadow entry is the same. ssh user@localhost works with
the password when I set manually with passwd, and does not work with pw_hash -
not surprisingly.
I tried lowercase sha-512, and got the same hash as with uppercase SHA-512.
Both methods (working manual passwd, and non working pw_hash) start with $6$
which implies a sha-512 hash from the docs, so I think pw_hash is just broken
for EL7. Which means the user resource is broken.
I guess temporarily, I'll just set the hash as a string and generate it with
passwd, and see if that works - but it's obviously not ideal.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/64419ef7-6d5b-4028-8548-194ea8fae8c7%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected]
<mailto:[email protected]> .
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/609eade7-8f51-4881-a7a5-9aaeda2571c3%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/zarafa.5dcec1b6.0474.3c55f75b3c65528f%40anjie.dontpanic.nl.
