0

Puppet is not setting the password for any created users. I tried several methods and none of them seem to work, my manifest file is:

Method 1: sha1() / md5() functions

user {'test1':
    ensure => present,
    password => sha1('vagrant'),
    shell => '/bin/bash',
}

user {'test2':
    ensure => present,
    password => md5('vagrant'),
    shell => '/bin/bash',
}

Method 2: password hash

user {'test3':
    ensure => present,
    password => '$6$plwk1mgalbEBBF$ificPYixcMcaotnm8.aayRDa9GDgBp3OgbrFkkU1ZahT/BAf5JvIkR9WjJZNkhIVcsrFkGY/OAs5ZSMvd0Yl3/',
    shell => '/bin/bash',
}

/etc/shadow is not updated w/ pass

vagrant:$6$aqzOtgCM$OxgoM...Ta55l0:0:99999:7:::
test4:!:16183:0:99999:7:::
test3:!:16183:0:99999:7:::
test1:!:16183:0:99999:7:::
test2:!:16183:0:99999:7:::
  • shadow has a "!" mark in the password field for my created users
  • If I manually edit the shadow file and paste in the password hash i can successfully ssh & su into the accounts.
  • already looked managing a user password for linux in puppet

versions

  • Ubuntu: 12.04 (hashicorp/precise64)
  • Puppet: 2.7.19
  • Vagrant: 1.5.3
Community
  • 1
  • 1
Mike R
  • 4,448
  • 3
  • 33
  • 40

2 Answers2

1

The issue you have is that Puppet is not updating the /etc/shadow file, but even once it's doing that correctly, Method 1 still will not work. The sha1() and md5() functions do not produce passwd/shadow compatible values because that is not what they are for. Generating encrypted passwords is more complex than a simple hash of the password.

Method 2 should work, but since it's not, you have something else going on. Have you tried to apply the manifest using debug and/or verbose mode?

I will guess that you're missing the ruby-shadow package, which Puppet needs to manage those files. Check your package provider and/or gem to make sure you have it installed.

orev
  • 176
  • 1
  • 7
  • I installed libshadow-ruby1.8 but its still not working, is there any other library I might need? – Mike R Apr 24 '14 at 00:42
  • I tried with a newer version of puppet (3.4.3), that along with libshadow-ruby seeemd to do the trick. – Mike R Apr 24 '14 at 01:26
1

I had this issue today on ubuntu 12.04 too. As it says in the puppet docs and as corroborated by orev:

Note that you will need to install Ruby’s shadow password library (often known as ruby-libshadow) if you wish to manage user passwords

I was not able to get the libshadow-ruby1.8 package to work however, even when installing the latest puppet version (3.4.3 and now 3.5.1) as mentioned in the comments, so I thought I'd post what worked for me. I've tested it on a new hashicorp/precise64 vagrant box:

Use the ruby-shadow gem - it requires make so also need to apt install build-essential

sudo apt-get install build-essential
sudo gem install ruby-shadow

Then to make a password in the correct form for the box, mkpasswd, which is part of the whois package in ubuntu 12.04

sudo apt-get install whois

then the puppet user declaration:

user { 'bob':
  ensure   => present,
  password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${password} | tr -d '\n'"),
  ...
}
tlcowling
  • 1,034
  • 1
  • 10
  • 11