Puppet users - Apr 2009 - updating user passwords with puppet

Hi guys,

I''m trying to update passwords in /etc/shadow with puppet.

I''ve installed the ruby lib shadow library and am using the following
sample
puppet syntax:

----
user { "seb":
        gid        => "30",
        ensure         => present,
        membership     => inclusive,
        groups         => [ "users" ],
        password     => "foofoo"
    }
---

result from /etc/shadow:

seb:foofoo:14336:0:99999:7:::

now the problem is, that the foofoo password is expected to be in encrypted
form. Is there anyway to get "foofoo" password in encrypted form?

Cleartext: foofoo
Cypertext: ???

I''ve found references to mkpasswd, but this does not exist in SLES, and
doesn''t generate Blowfish passwords anyway. I''ve tried a
variety of Perl
one-liners, but can''t seem to get the right combination.

Any help would be much appreciated.

Regards, Sebastian.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yes, I don''t want to store clear text passwords, I want to know to to
encrypt passwords so that I can put the encrypted hash into the pp files.

Someone on the irc puppet channel showed me this command, which I''m
currently using:

openssl passwd -1

this works for generating MD5 passwords, but not blowfish passwords.

If anyone knows how to generate blowfish passwords, I''d be keen to know
how
they do it.

Kind regards, Sebastian.

On Fri, Apr 3, 2009 at 10:33 PM, <nick.maystrenko@gmail.com> wrote:
>
> On Fri, 03 Apr 2009 02:49:18 -0000, Sebastian Krueger
> <sebykrueger@gmail.com> wrote:
> Hi Sebastian, its my type of "any help")). I think that puppet
developers
> did right thing and we cant hold in puppet *.pp files clear passwords.
> There is no place in system for clear passwords.
> In your situation, i think, there is a way to make some script for hashing
> not hashed passwords in *.pp. If you need some help with that - you are
> wellcome.
> Bye
> > Hi guys,
> >
> > I''m trying to update passwords in /etc/shadow with puppet.
> >
> > I''ve installed the ruby lib shadow library and am using the
following
> > sample
> > puppet syntax:
> >
> > ----
> > user { "seb":
> >         gid        => "30",
> >         ensure         => present,
> >         membership     => inclusive,
> >         groups         => [ "users" ],
> >         password     => "foofoo"
> >     }
> > ---
> >
> > result from /etc/shadow:
> >
> > seb:foofoo:14336:0:99999:7:::
> >
> > now the problem is, that the foofoo password is expected to be in
> > encrypted
> > form. Is there anyway to get "foofoo" password in encrypted
form?
> >
> > Cleartext: foofoo
> > Cypertext: ???
> >
> > I''ve found references to mkpasswd, but this does not exist in
SLES, and
> > doesn''t generate Blowfish passwords anyway. I''ve
tried a variety of Perl
> > one-liners, but can''t seem to get the right combination.
> >
> > Any help would be much appreciated.
> >
> > Regards, Sebastian.
> >
> > >
>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Sebastian Krueger schrieb am 03. Apr 2009 um 05:55:12
CEST:
> If anyone knows how to generate blowfish passwords, I''d be keen to
know how
> they do it.
There''s a perl module Crypt::Blowfish, that might be of help for you.

Helmut

-- 
-------------------------------------------------------------------------
Helmut Lichtenberg  <Helmut.Lichtenberg@fli.bund.de>  Tel.: 05034/871-128
Institut für Nutztiergenetik (FLI)         31535 Neustadt         Germany
-------------------------------------------------------------------------

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Apr 03, 2009 at 03:49:18PM +1300, Sebastian Krueger
wrote:
> now the problem is, that the foofoo password is expected to be in
> encrypted form. Is there anyway to get "foofoo" password in
> encrypted form?
> 
> Cleartext: foofoo
> Cypertext: ???
> 
> I''ve found references to mkpasswd, but this does not exist in
> SLES, and doesn''t generate Blowfish passwords anyway.
I''ve tried a
> variety of Perl one-liners, but can''t seem to get the right
> combination.
Blowfish?  I''ve never heard of anyone using that for passwords.
Standard Linux IME is md5.

mkpasswd *is* in fact the standard tool for this purpose, and it can
produce a variety of formats:

$ mkpasswd -m help
Available methods:
des     standard 56 bit DES-based crypt(3)
md5     MD5
sha-256 SHA-256
sha-512 SHA-512

-Robin

-- 
They say:  "The first AIs will be built by the military as weapons."
And I''m thinking:  "Does it even occur to you to try for something
other than the default outcome?" -- http://shorl.com/tydruhedufogre
http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

What I tend to do is change the password of the account I''m managing

# passwd user

then copy it from /etc/shadow into the manifest. But then we have very
few local user accounts.

Regards

Martin

On Fri, Apr 3, 2009 at 7:41 AM, Robin Lee Powell
<rlpowell@digitalkingdom.org> wrote:
>
> On Fri, Apr 03, 2009 at 03:49:18PM +1300, Sebastian Krueger wrote:
>> now the problem is, that the foofoo password is expected to be in
>> encrypted form. Is there anyway to get "foofoo" password in
>> encrypted form?
>>
>> Cleartext: foofoo
>> Cypertext: ???
>>
>> I''ve found references to mkpasswd, but this does not exist in
>> SLES, and doesn''t generate Blowfish passwords anyway.
I''ve tried a
>> variety of Perl one-liners, but can''t seem to get the right
>> combination.
>
> Blowfish?  I''ve never heard of anyone using that for passwords.
> Standard Linux IME is md5.
>
> mkpasswd *is* in fact the standard tool for this purpose, and it can
> produce a variety of formats:
>
> $ mkpasswd -m help
> Available methods:
> des     standard 56 bit DES-based crypt(3)
> md5     MD5
> sha-256 SHA-256
> sha-512 SHA-512
>
> -Robin
>
> --
> They say:  "The first AIs will be built by the military as
weapons."
> And I''m thinking:  "Does it even occur to you to try for
something
> other than the default outcome?" -- http://shorl.com/tydruhedufogre
> http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, 03 Apr 2009 02:49:18 -0000, Sebastian Krueger  
<sebykrueger@gmail.com> wrote:
Hi Sebastian, its my type of "any help")). I think that puppet
developers
did right thing and we cant hold in puppet *.pp files clear passwords.  
There is no place in system for clear passwords.
In your situation, i think, there is a way to make some script for hashing  
not hashed passwords in *.pp. If you need some help with that - you are  
wellcome.
Bye
> Hi guys,
>
> I''m trying to update passwords in /etc/shadow with puppet.
>
> I''ve installed the ruby lib shadow library and am using the
following
> sample
> puppet syntax:
>
> ----
> user { "seb":
>         gid        => "30",
>         ensure         => present,
>         membership     => inclusive,
>         groups         => [ "users" ],
>         password     => "foofoo"
>     }
> ---
>
> result from /etc/shadow:
>
> seb:foofoo:14336:0:99999:7:::
>
> now the problem is, that the foofoo password is expected to be in  
> encrypted
> form. Is there anyway to get "foofoo" password in encrypted form?
>
> Cleartext: foofoo
> Cypertext: ???
>
> I''ve found references to mkpasswd, but this does not exist in
SLES, and
> doesn''t generate Blowfish passwords anyway. I''ve tried a
variety of Perl
> one-liners, but can''t seem to get the right combination.
>
> Any help would be much appreciated.
>
> Regards, Sebastian.
>
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Blowfish is the standard for openSUSE since 9.3. And it''s the standard
since
SLES 9 as well. It''s way stronger than md5.

On Fri, Apr 3, 2009 at 7:41 PM, Robin Lee Powell <
rlpowell@digitalkingdom.org> wrote:
>
> On Fri, Apr 03, 2009 at 03:49:18PM +1300, Sebastian Krueger wrote:
> > now the problem is, that the foofoo password is expected to be in
> > encrypted form. Is there anyway to get "foofoo" password in
> > encrypted form?
> >
> > Cleartext: foofoo
> > Cypertext: ???
> >
> > I''ve found references to mkpasswd, but this does not exist in
> > SLES, and doesn''t generate Blowfish passwords anyway.
I''ve tried a
> > variety of Perl one-liners, but can''t seem to get the right
> > combination.
>
> Blowfish?  I''ve never heard of anyone using that for passwords.
> Standard Linux IME is md5.
>
> mkpasswd *is* in fact the standard tool for this purpose, and it can
> produce a variety of formats:
>
> $ mkpasswd -m help
> Available methods:
> des     standard 56 bit DES-based crypt(3)
> md5     MD5
> sha-256 SHA-256
> sha-512 SHA-512
>
> -Robin
>
> --
> They say:  "The first AIs will be built by the military as
weapons."
> And I''m thinking:  "Does it even occur to you to try for
something
> other than the default outcome?" -- http://shorl.com/tydruhedufogre
>
http://www.digitalkingdom.org/~rlpowell/<http://www.digitalkingdom.org/%7Erlpowell/>***
> http://www.lojban.org/
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

PHP usually uses the appropriate crypt system call for the system, so
whether it is DES, SMD5 or BLF, I believe you can reliably generate
hashed passwords like this:

	 echo "<? print crypt(''foofoo''); ?>" | php

Also, in your manifest, you are using double-quotes (") to enclose the
password.  You will want to make sure to use single-quotes (''), since
(at least) salted MD5 always contains the dollar-sign ($) character.



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Isn''t Blowfish an encryption algorithm?

Passwords are based on one-way hashes such as SHA, or MD5.

Perhaps there is a mode for Blowfish for which I am not familiar, but
I think that you''re looking for something that doesn''t exist.

Trevor

On Sat, Apr 4, 2009 at 01:00, Sebastian Krueger <sebykrueger@gmail.com>
wrote:
> Blowfish is the standard for openSUSE since 9.3. And it''s the
standard since
> SLES 9 as well. It''s way stronger than md5.
>
> On Fri, Apr 3, 2009 at 7:41 PM, Robin Lee Powell
> <rlpowell@digitalkingdom.org> wrote:
>>
>> On Fri, Apr 03, 2009 at 03:49:18PM +1300, Sebastian Krueger wrote:
>> > now the problem is, that the foofoo password is expected to be in
>> > encrypted form. Is there anyway to get "foofoo" password
in
>> > encrypted form?
>> >
>> > Cleartext: foofoo
>> > Cypertext: ???
>> >
>> > I''ve found references to mkpasswd, but this does not
exist in
>> > SLES, and doesn''t generate Blowfish passwords anyway.
I''ve tried a
>> > variety of Perl one-liners, but can''t seem to get the
right
>> > combination.
>>
>> Blowfish?  I''ve never heard of anyone using that for
passwords.
>> Standard Linux IME is md5.
>>
>> mkpasswd *is* in fact the standard tool for this purpose, and it can
>> produce a variety of formats:
>>
>> $ mkpasswd -m help
>> Available methods:
>> des     standard 56 bit DES-based crypt(3)
>> md5     MD5
>> sha-256 SHA-256
>> sha-512 SHA-512
>>
>> -Robin
>>
>> --
>> They say:  "The first AIs will be built by the military as
weapons."
>> And I''m thinking:  "Does it even occur to you to try for
something
>> other than the default outcome?" --
http://shorl.com/tydruhedufogre
>> http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/
>>
>>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi
> Isn''t Blowfish an encryption algorithm?
> 
> Passwords are based on one-way hashes such as SHA, or MD5.
> 
> Perhaps there is a mode for Blowfish for which I am not familiar, but
> I think that you''re looking for something that doesn''t
exist.
OpenBSD people implemented a blowfish password hashing code. Code for
ruby is contained in the bcrypt gem.

cheers Pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Interesting, this still seems...odd, but it should work, though I''m
still skeptical of using a cipher versus a true one-way hash.

Trevor

On Mon, Apr 6, 2009 at 09:53, Peter Meier <peter.meier@immerda.ch>
wrote:
>
> Hi
>
>> Isn''t Blowfish an encryption algorithm?
>>
>> Passwords are based on one-way hashes such as SHA, or MD5.
>>
>> Perhaps there is a mode for Blowfish for which I am not familiar, but
>> I think that you''re looking for something that
doesn''t exist.
>
> OpenBSD people implemented a blowfish password hashing code. Code for
> ruby is contained in the bcrypt gem.
>
> cheers Pete
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Trevor Vaughan wrote:
> Interesting, this still seems...odd, but it should work, though
I''m
> still skeptical of using a cipher versus a true one-way hash.
The normal Unix crypt(3) method uses a variant of DES to make a one-way
hash.  Basically, you use the password as the key to encrypt a constant
string.  That''s been used for 30 years or so, and the only real
weakness
I can recall hearing about it is that the key is too short (8 characters,
and if you use anything longer, only the 8 first characters are used).


	/Bellman

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---