Of course this is not idempotent. Mmm, security is difficult.
-----Original message----- From: Bart-Jan Vrielink <[email protected]> Sent: Friday 15th November 2019 16:18 To: [email protected] Subject: RE: [Puppet Users] Managing a local users password with puppet on EL7 Hello, Glad to hear that you got it to work. Before you put this into production, please make sure you don't re-use the same salt value. Try to randomize it. Something like seeded_rand_string(16,strftime("%s%L")) may work. -----Original message----- From: jmp242 <[email protected]> Sent: Friday 15th November 2019 15:31 To: Puppet Users <[email protected]> Subject: Re: [Puppet Users] Managing a local users password with puppet on EL7 I figured it out. Thanks for the help. It's because I wasn't doing I password => pw_hash('password', 'SHA-512', 'mysalt'), I was doing Sensitive(pw_hash('$password', 'SHA-512', 'oursalt')), And because I used single quotes, it wasn't actually getting the parameter / variable, but the literal $password. Remove the quotes entirely because it's just a variable, and it works! And this is why you can't always just copy -> paste -> edit your stuff in!. On Friday, November 15, 2019 at 8:55:57 AM UTC-5, Bart-Jan Vrielink wrote: Hello, I'm still puzzled by why this is not working on your system. The following works for me on a Centos7 machine: user { 'testuser': ensure => 'present', password => pw_hash('password', 'SHA-512', 'mysalt'), } -----Original message----- From: jmp242 <[email protected]> Sent: Friday 15th November 2019 14:41 To: Puppet Users <[email protected]> Subject: Re: [Puppet Users] Managing a local users password with puppet on EL7 So, I set the password manually with passwd and got an entirely different hash than when I use the pw_hash function. The salt is obviously different as well, but the rest of /etc/shadow entry is the same. ssh user@localhost works with the password when I set manually with passwd, and does not work with pw_hash - not surprisingly. I tried lowercase sha-512, and got the same hash as with uppercase SHA-512. Both methods (working manual passwd, and non working pw_hash) start with $6$ which implies a sha-512 hash from the docs, so I think pw_hash is just broken for EL7. Which means the user resource is broken. I guess temporarily, I'll just set the hash as a string and generate it with passwd, and see if that works - but it's obviously not ideal. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/64419ef7-6d5b-4028-8548-194ea8fae8c7%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/609eade7-8f51-4881-a7a5-9aaeda2571c3%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/zarafa.5dcec1b6.0474.3c55f75b3c65528f%40anjie.dontpanic.nl. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/zarafa.5dcec2e1.049b.5200bd245c927dad%40anjie.dontpanic.nl.
