Hey all, My objective is to set the root password on the puppet master and then have root module mine the hash from the shadow file. It seems like it should work, but I get the error "Parameter password failed: Passwords cannot include '':'' at". I am not sure where it is seeing the ":". Any ideas? The manifest looks like this: class root::linuxroot { user { ''root'': ensure => ''present'', comment => ''root'', uid => ''0'', gid => ''0'', home => ''/root'', password => generate("/pathtoscript/getlinuxhash.sh"), shell => ''/bin/bash'', } } And the getlinuxhash.sh looks like this: #!/bin/sh HASHPASS=$(/bin/grep root /etc/shadow | /bin/awk -F ":" ''{ print $2 }'') echo "''"$HASHPASS"''" -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Christopher Wood
2012-Jun-22 22:13 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
inline On Fri, Jun 22, 2012 at 02:42:54PM -0700, Rob B. wrote:> Hey all, > > My objective is to set the root password on the puppet master and then > have root module mine the hash from the shadow file. It seems like it > should work, but I get the error "Parameter password failed: Passwords > cannot include '':'' at". I am not sure where it is seeing the ":". > > Any ideas? > > The manifest looks like this: > class root::linuxroot { > user { ''root'': > ensure => ''present'', > comment => ''root'', > uid => ''0'', > gid => ''0'', > home => ''/root'', > password => generate("/pathtoscript/getlinuxhash.sh"), > shell => ''/bin/bash'', > } > } > > And the getlinuxhash.sh looks like this: > #!/bin/sh > HASHPASS=$(/bin/grep root /etc/shadow | /bin/awk -F ":" ''{ print $2 }'') > echo "''"$HASHPASS"''"# facter | grep operatingsystem operatingsystem => Debian operatingsystemrelease => 6.0.5 # /bin/grep root /etc/shadow | /bin/awk -F ":" ''{ print $2 }'' bash: /bin/awk: No such file or directory You''re probably fine with not using the full paths there, unless you are either on a single system type and/or templating getlinuxhash.sh. "''"$HASHPASS"''" That is likely interpreted as: "''" <--- a string $HASHPASS <--- substituted "''" <--- a string When I run your whole script without the full paths: # cat /tmp/22 #!/bin/sh HASHPASS=$(grep root /etc/shadow | awk -F ":" ''{ print $2 }'') echo "''"$HASHPASS"''" # bash /tmp/22 ''$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9bASyGcFTxomYSalcryFp5QsKrNJSOmPsG4NNNOZRSZS4S3aRwMD3iza03ORDTxlaq0'' Since the password hash should start with $6$, it looks like you''re returning the quotes too, which is an incorrect password hash. # cat /tmp/1.pp file { ''/tmp/cw1'': content => generate(''/tmp/22'') } # puppet apply /tmp/1.pp notice: /Stage[main]//File[/tmp/cw1]/ensure: defined content as ''{md5}3f4302ca8a8c24301c265fdc5345f341'' # cat /tmp/cw1 ''$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9BASyGcFTxomYSal4ryFp5AsKrNJSOmPsG4NNNOZRSZh4S3aRwMD3iza03ORDTelaq0'' Possibly try this for your generator? The -n is because I''m not certain if puppet will keep the trailing newline as part of the hash. #!/bin/sh HASHPASS=$(grep root /etc/shadow | awk -F: ''{print $2}'') echo -n "$HASHPASS" Also, why mine the password rather than provision it from your puppet manifests better hiera? That way you get more than one root password.> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > [1]https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > References > > Visible links > 1. https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Rob B.
2012-Jun-25 13:52 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
Hey Christopher, Thanks for the reply. I will give this a try this morning. As for your question about why we want to mine it, we want to change the root password in out password manager software, have that change the root password on the puppet master, and then have puppet distribute the hash everywhere. It makes it easy to keep a single root for all the systems we want it to manage. Thanks! Rob On Friday, June 22, 2012 6:13:19 PM UTC-4, Christopher Wood wrote:> inline > > On Fri, Jun 22, 2012 at 02:42:54PM -0700, Rob B. wrote: > > Hey all, > > > > My objective is to set the root password on the puppet master and > then > > have root module mine the hash from the shadow file. It seems like it > > should work, but I get the error "Parameter password failed: > Passwords > > cannot include '':'' at". I am not sure where it is seeing the ":". > > > > Any ideas? > > > > The manifest looks like this: > > class root::linuxroot { > > user { ''root'': > > ensure => ''present'', > > comment => ''root'', > > uid => ''0'', > > gid => ''0'', > > home => ''/root'', > > password => generate("/pathtoscript/getlinuxhash.sh"), > > shell => ''/bin/bash'', > > } > > } > > > > And the getlinuxhash.sh looks like this: > > #!/bin/sh > > HASHPASS=$(/bin/grep root /etc/shadow | /bin/awk -F ":" ''{ print $2 > }'') > > echo "''"$HASHPASS"''" > > # facter | grep operatingsystem > operatingsystem => Debian > operatingsystemrelease => 6.0.5 > # /bin/grep root /etc/shadow | /bin/awk -F ":" ''{ print $2 }'' > bash: /bin/awk: No such file or directory > > You''re probably fine with not using the full paths there, unless you are > either on a single system type and/or templating getlinuxhash.sh. > > "''"$HASHPASS"''" > > That is likely interpreted as: > > "''" <--- a string > $HASHPASS <--- substituted > "''" <--- a string > > When I run your whole script without the full paths: > > # cat /tmp/22 > #!/bin/sh > HASHPASS=$(grep root /etc/shadow | awk -F ":" ''{ print $2 }'') > echo "''"$HASHPASS"''" > # bash /tmp/22 > ''$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9bASyGcFTxomYSalcryFp5QsKrNJSOmPsG4NNNOZRSZS4S3aRwMD3iza03ORDTxlaq0'' > > > Since the password hash should start with $6$, it looks like you''re > returning the quotes too, which is an incorrect password hash. > > # cat /tmp/1.pp > file { ''/tmp/cw1'': > content => generate(''/tmp/22'') > } > # puppet apply /tmp/1.pp > notice: /Stage[main]//File[/tmp/cw1]/ensure: defined content as > ''{md5}3f4302ca8a8c24301c265fdc5345f341'' > # cat /tmp/cw1 > ''$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9BASyGcFTxomYSal4ryFp5AsKrNJSOmPsG4NNNOZRSZh4S3aRwMD3iza03ORDTelaq0'' > > > Possibly try this for your generator? The -n is because I''m not certain if > puppet will keep the trailing newline as part of the hash. > > #!/bin/sh > HASHPASS=$(grep root /etc/shadow | awk -F: ''{print $2}'') > echo -n "$HASHPASS" > > Also, why mine the password rather than provision it from your puppet > manifests better hiera? That way you get more than one root password. > > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Puppet Users" group. > > To view this discussion on the web visit > > [1]https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > > > References > > > > Visible links > > 1. https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/c8T9SpVwjOcJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
R.I.Pienaar
2012-Jun-25 13:53 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
----- Original Message -----> From: "Rob B." <rbencale@gmail.com> > To: puppet-users@googlegroups.com > Sent: Monday, June 25, 2012 2:52:51 PM > Subject: Re: [Puppet Users] Using generate() to mine a shadow file hash > > > Hey Christopher, > > Thanks for the reply. I will give this a try this morning. As for > your question about why we want to mine it, we want to change the > root password in out password manager software, have that change the > root password on the puppet master, and then have puppet distribute > the hash everywhere. It makes it easy to keep a single root for all > the systems we want it to manage.quite sure this wont work, the puppet master does not run as root and so your generate wont have access to read shadow file. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
R.I.Pienaar
2012-Jun-25 13:54 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
----- Original Message -----> From: "R.I.Pienaar" <rip@devco.net> > To: puppet-users@googlegroups.com > Sent: Monday, June 25, 2012 2:53:45 PM > Subject: Re: [Puppet Users] Using generate() to mine a shadow file hash > > > > ----- Original Message ----- > > From: "Rob B." <rbencale@gmail.com> > > To: puppet-users@googlegroups.com > > Sent: Monday, June 25, 2012 2:52:51 PM > > Subject: Re: [Puppet Users] Using generate() to mine a shadow file > > hash > > > > > > Hey Christopher, > > > > Thanks for the reply. I will give this a try this morning. As for > > your question about why we want to mine it, we want to change the > > root password in out password manager software, have that change > > the > > root password on the puppet master, and then have puppet distribute > > the hash everywhere. It makes it easy to keep a single root for all > > the systems we want it to manage. > > quite sure this wont work, the puppet master does not run as root and > so your generate wont have access to read shadow file. >you could use sudo of course, but it doesnt seem like a great idea :) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Felix Frank
2012-Jun-25 14:12 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
>> quite sure this wont work, the puppet master does not run as root and >> so your generate wont have access to read shadow file. >> > you could use sudo of course, but it doesnt seem like a great idea :)Sounds right enough. Though if you''re being generous with the hash of that one root password for each last of your boxen (this strikes me at not the most secure of concepts), you can go all the way and make it a custom fact that the agent *on* your puppet master (or any other node you declare seed for the root password) presents to the puppet master for redistribution. Also, some wear leveling of your precios grep binary (either in generate+sudo or a fact): awk -F: ''$1 == "root" { print $2 }'' /etc/shadow ;-) (Also, protection from various possible occurences of the string "root" in your shadow file.) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Rob B.
2012-Jun-25 14:17 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
I suppose I could use a cron to pull out the hash and put it into a file to be read by puppet. On Monday, June 25, 2012 9:54:49 AM UTC-4, R.I. Pienaar wrote:> > > > ----- Original Message ----- > > From: "R.I.Pienaar" <rip@devco.net> > > To: puppet-users@googlegroups.com > > Sent: Monday, June 25, 2012 2:53:45 PM > > Subject: Re: [Puppet Users] Using generate() to mine a shadow file hash > > > > > > > > ----- Original Message ----- > > > From: "Rob B." <rbencale@gmail.com> > > > To: puppet-users@googlegroups.com > > > Sent: Monday, June 25, 2012 2:52:51 PM > > > Subject: Re: [Puppet Users] Using generate() to mine a shadow file > > > hash > > > > > > > > > Hey Christopher, > > > > > > Thanks for the reply. I will give this a try this morning. As for > > > your question about why we want to mine it, we want to change the > > > root password in out password manager software, have that change > > > the > > > root password on the puppet master, and then have puppet distribute > > > the hash everywhere. It makes it easy to keep a single root for all > > > the systems we want it to manage. > > > > quite sure this wont work, the puppet master does not run as root and > > so your generate wont have access to read shadow file. > > > > > you could use sudo of course, but it doesnt seem like a great idea :) >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/VjsMV8RwvTsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
John Lyman
2012-Jun-26 01:16 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
This would be fairly easy from cron by running ''puppet resource user root > some.pp''. It would be even better if your password manager could trigger the command to run only when the password has changed. On Monday, June 25, 2012 10:17:20 AM UTC-4, Rob B. wrote:> > I suppose I could use a cron to pull out the hash and put it into a file > to be read by puppet. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/i1EhG8PI6y4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Robert Bencale
2012-Jun-26 01:30 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
Hey John, It doesnt give the password section. Thanks! Rob On Mon, Jun 25, 2012 at 9:16 PM, John Lyman <jlyman2@gmail.com> wrote:> This would be fairly easy from cron by running ''puppet resource user root > > some.pp''. > > It would be even better if your password manager could trigger the command > to run only when the password has changed. > > > On Monday, June 25, 2012 10:17:20 AM UTC-4, Rob B. wrote: >> >> I suppose I could use a cron to pull out the hash and put it into a file >> to be read by puppet. >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/i1EhG8PI6y4J. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
John Lyman
2012-Jun-26 22:22 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
It does for me, but I am running as root. Maybe that is the difference. Or maybe your user provider doesn''t manage_passwords? On Monday, June 25, 2012 9:30:39 PM UTC-4, Rob B. wrote:> > Hey John, > > It doesnt give the password section. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/h3xVcEwXq5cJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Robert Bencale
2012-Jun-27 16:40 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
hmmm I am also running as root, but do get the password hash. Any ideas? On Tue, Jun 26, 2012 at 6:22 PM, John Lyman <jlyman2@gmail.com> wrote:> It does for me, but I am running as root. Maybe that is the difference. > Or maybe your user provider doesn''t manage_passwords? > > > On Monday, June 25, 2012 9:30:39 PM UTC-4, Rob B. wrote: >> >> Hey John, >> >> It doesnt give the password section. >> > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/h3xVcEwXq5cJ. > > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Felix Frank
2012-Jun-27 16:44 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
On 06/27/2012 06:40 PM, Robert Bencale wrote:> hmmm I am also running as root, but do get the password hash. Any ideas?Yes, actually. Do you have librubyshadow installed? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Robert Bencale
2012-Jun-27 16:55 UTC
Re: [Puppet Users] Using generate() to mine a shadow file hash
I have the rpm ruby-shadow-1.4.1-7.el5 installed. On Wed, Jun 27, 2012 at 12:44 PM, Felix Frank < felix.frank@alumni.tu-berlin.de> wrote:> On 06/27/2012 06:40 PM, Robert Bencale wrote: > > hmmm I am also running as root, but do get the password hash. Any ideas? > > Yes, actually. Do you have librubyshadow installed? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.