Not updating the user password

0
votes

Puppet is not setting the password for any created users. I tried several methods and none of them seem to work, my manifest file is:

Method 1: sha1() / md5() functions

user {'test1':
    ensure => present,
    password => sha1('vagrant'),
    shell => '/bin/bash',
}

user {'test2':
    ensure => present,
    password => md5('vagrant'),
    shell => '/bin/bash',
}

Method 2: password hash

user {'test3':
    ensure => present,
    password => '$6$plwk1mgalbEBBF$ificPYixcMcaotnm8.aayRDa9GDgBp3OgbrFkkU1ZahT/BAf5JvIkR9WjJZNkhIVcsrFkGY/OAs5ZSMvd0Yl3/',
    shell => '/bin/bash',
}

/etc/shadow is not updated w/ pass

vagrant:$6$aqzOtgCM$OxgoM...Ta55l0:0:99999:7:::
test4:!:16183:0:99999:7:::
test3:!:16183:0:99999:7:::
test1:!:16183:0:99999:7:::
test2:!:16183:0:99999:7:::
  • shadow has a "!" mark in the password field for my created users
  • If I manually edit the shadow file and paste in the password hash i can successfully ssh & su into the accounts.
  • already looked managing a user password for linux in puppet

versions

  • Ubuntu: 12.04 (hashicorp/precise64)
  • Puppet: 2.7.19
  • Vagrant: 1.5.3
2
vagrantpuppet
(The original title was far better in my opinion, but I'm not going to start a revert war.) - ikegami

2 Answers

1
votes

The issue you have is that Puppet is not updating the /etc/shadow file, but even once it's doing that correctly, Method 1 still will not work. The sha1() and md5() functions do not produce passwd/shadow compatible values because that is not what they are for. Generating encrypted passwords is more complex than a simple hash of the password.

Method 2 should work, but since it's not, you have something else going on. Have you tried to apply the manifest using debug and/or verbose mode?

I will guess that you're missing the ruby-shadow package, which Puppet needs to manage those files. Check your package provider and/or gem to make sure you have it installed.

1
votes

I had this issue today on ubuntu 12.04 too. As it says in the puppet docs and as corroborated by orev:

Note that you will need to install Ruby’s shadow password library (often known as ruby-libshadow) if you wish to manage user passwords

I was not able to get the libshadow-ruby1.8 package to work however, even when installing the latest puppet version (3.4.3 and now 3.5.1) as mentioned in the comments, so I thought I'd post what worked for me. I've tested it on a new hashicorp/precise64 vagrant box:

Use the ruby-shadow gem - it requires make so also need to apt install build-essential

sudo apt-get install build-essential
sudo gem install ruby-shadow

Then to make a password in the correct form for the box, mkpasswd, which is part of the whois package in ubuntu 12.04

sudo apt-get install whois

then the puppet user declaration:

user { 'bob':
  ensure   => present,
  password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${password} | tr -d '\n'"),
  ...
}