It's probably ok to reuse the same salt; it's just to defeat pre-computation attacks.
But if you really don't want to, you could: - Use the username as the salt. That'll be static, so idempotent, and different for every user. Not as great as random salt, but better than no salt. - Use a secrets server like Vault, and use the Hiera-Vault plugin to retrieve a password. (Just make sure you test first. I tested this about a year ago, and at the time the Hiera Vault plugin had a bug that eventually exhausted all the connections into Vault.) - Don't actually use Puppet to set a password. If this is your own user, just manage your password yourself with the `passwd` command. On Friday, November 15, 2019 at 10:23:26 AM UTC-5, Bart-Jan Vrielink wrote: > > Of course this is not idempotent. Mmm, security is difficult. > > > -----Original message----- > *From:* Bart-Jan Vrielink <[email protected] <javascript:>> > *Sent:* Friday 15th November 2019 16:18 > *To:* [email protected] <javascript:> > *Subject:* RE: [Puppet Users] Managing a local users password with puppet > on EL7 > > Hello, > > > Glad to hear that you got it to work. > > Before you put this into production, please make sure you don't re-use the > same salt value. Try to randomize it. Something like > seeded_rand_string(16,strftime("%s%L")) may work. > > > -----Original message----- > *From:* jmp242 <[email protected] <javascript:>> > *Sent:* Friday 15th November 2019 15:31 > *To:* Puppet Users <[email protected] <javascript:>> > *Subject:* Re: [Puppet Users] Managing a local users password with puppet > on EL7 > > I figured it out. Thanks for the help. It's because I wasn't doing I > > password => pw_hash(*'password'*, 'SHA-512', 'mysalt'), > > I was doing > > Sensitive(pw_hash(*'$password'*, 'SHA-512', 'oursalt')), > > And because I used single quotes, it wasn't actually getting the parameter > / variable, but the literal $password. Remove the quotes entirely because > it's just a variable, and it works! > > And this is why you can't always just copy -> paste -> edit your stuff in!. > > On Friday, November 15, 2019 at 8:55:57 AM UTC-5, Bart-Jan Vrielink wrote: >> >> Hello, >> >> >> I'm still puzzled by why this is not working on your system. The >> following works for me on a Centos7 machine: >> >> >> user { 'testuser': >> ensure => 'present', >> password => pw_hash('password', 'SHA-512', 'mysalt'), >> } >> >> >> -----Original message----- >> *From:* jmp242 <[email protected] >> <#[email protected]_>> >> *Sent:* Friday 15th November 2019 14:41 >> *To:* Puppet Users <[email protected] >> <#[email protected]_>> >> *Subject:* Re: [Puppet Users] Managing a local users password with >> puppet on EL7 >> >> So, I set the password manually with passwd and got an entirely different >> hash than when I use the pw_hash function. The salt is obviously different >> as well, but the rest of /etc/shadow entry is the same. ssh user@localhost >> works with the password when I set manually with passwd, and does not work >> with pw_hash - not surprisingly. >> >> I tried lowercase sha-512, and got the same hash as with uppercase >> SHA-512. Both methods (working manual passwd, and non working pw_hash) >> start with $6$ which implies a sha-512 hash from the docs, so I think >> pw_hash is just broken for EL7. Which means the user resource is broken. >> >> I guess temporarily, I'll just set the hash as a string and generate it >> with passwd, and see if that works - but it's obviously not ideal. >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] >> <#[email protected]_>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/64419ef7-6d5b-4028-8548-194ea8fae8c7%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/64419ef7-6d5b-4028-8548-194ea8fae8c7%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/609eade7-8f51-4881-a7a5-9aaeda2571c3%40googlegroups.com > > <https://groups.google.com/d/msgid/puppet-users/609eade7-8f51-4881-a7a5-9aaeda2571c3%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/zarafa.5dcec1b6.0474.3c55f75b3c65528f%40anjie.dontpanic.nl > > <https://groups.google.com/d/msgid/puppet-users/zarafa.5dcec1b6.0474.3c55f75b3c65528f%40anjie.dontpanic.nl?utm_medium=email&utm_source=footer> > . > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/aef852aa-8a9c-4535-aaaa-c7f3ebbabce5%40googlegroups.com.
