Puppet users - Jan 2012 - Mining hash field out of the /etc/shadow shadow file

Hello

in James Loope''s book (called Managing Infrastructure with Puppet), he
writes on page23: "The password hash can either be mined out of a
shadow file or generated with the mkpasswd utility." My question is:
how can the hash field be mined out of the shadow field. I tried to
use the generate function to execute the following command:
grep username /etc/shadow | cut -d: -f2
but that did not work. It seems that the generate function does not
like the | pipe command.

My question is: how can I extract that hash value and store it in a
Puppet variable?

Thank you

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Sun, Jan 29, 2012 at 07:26:13AM -0800, Olivier wrote:
> Hello
> 
> in James Loope''s book (called Managing Infrastructure with
Puppet), he
> writes on page23: "The password hash can either be mined out of a
> shadow file or generated with the mkpasswd utility." My question is:
> how can the hash field be mined out of the shadow field. I tried to
> use the generate function to execute the following command:
> grep username /etc/shadow | cut -d: -f2
> but that did not work. It seems that the generate function does not
> like the | pipe command.
> 
> My question is: how can I extract that hash value and store it in a
> Puppet variable?
> 
> Thank you
> 
The question is what are you trying to accomplish?

The generate function executes on your puppet master which is most
certainly not what you want.

If you want to have the root passwordhash on your node to be available
as a variable you have write a custom fact [1] but be aware of the
possible security implications.

If you just want to create a useraccount and set a login password or you
want to make sure that a certain user has a certain login password you
can already do so with the user type [2]

like

    user { ''root'':
      ensure   => present,
      uid      => 0,
      password => ''my hashed password'',
    }


[1] http://docs.puppetlabs.com/guides/custom_facts.html
[2] http://docs.puppetlabs.com/references/2.7.9/type.html#user

-Stefan

On Sun, Jan 29, 2012 at 11:39:46PM +0100, Stefan Schulte
wrote:
> On Sun, Jan 29, 2012 at 07:26:13AM -0800, Olivier wrote:
> > Hello
> > 
> > in James Loope''s book (called Managing Infrastructure with
Puppet), he
> > writes on page23: "The password hash can either be mined out of a
> > shadow file or generated with the mkpasswd utility." My question
is:
> > how can the hash field be mined out of the shadow field. I tried to
> > use the generate function to execute the following command:
> > grep username /etc/shadow | cut -d: -f2
> > but that did not work. It seems that the generate function does not
> > like the | pipe command.
> > 
> > My question is: how can I extract that hash value and store it in a
> > Puppet variable?
> > 
> > Thank you
> > 
> 
> The question is what are you trying to accomplish?
> 
Searched the book online. This is what he is trying to say:

You can make sure that a user has a certain login password with the
`password` property of the user resource. But you have to supply the
hashed password as it would be stored in the /etc/shadow file.

But in general you just know the clear text password. An easy way to get
the hash value for your clear text password is to set the clear text
password with passwd and then lookup the hash in the /etc/shadow file
or use the mkpasswd utility (with which I am not familiar)

Once you have the hashed value of your desired clear text password
you can copy&paste that in the user definition.

-Stefan

and then lookup the hash in the /etc/shadow file
> or use the mkpasswd utility (with which I am not familiar)
>
> Once you have the hashed value of your desired clear text password
> you can copy&paste that in the user definition.
>
> -Stefan
>
your answer is just the text of my original question. So the question
still stands: how do I get the hashed value from /etc/shadow?

Here is the background of my problem. I have 40 puppet clients and one
master. The password of each user expires after 90 days. Instead of
changing their password manually on 40 different servers by logging
into each server,each user will have to change his/her password on the
puppet server only and Puppet will replicate the hash value on each
puppet client. Obviously I will never know the user''s password and am
not interested in replicating the root password. NIS and LDAP are not
an option.

Thank you.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Sun, Jan 29, 2012 at 6:18 PM, Olivier <ofranmar@gmail.com> wrote:
[snip]
>
> your answer is just the text of my original question. So the question
> still stands: how do I get the hashed value from /etc/shadow?
Are you trying to get a value from /etc/shadow on a managed node or
from the puppet master system itself?

Remember functions in the Puppet DSL are only ever executed when
compiling the catalog, so that means the Puppet Master (in a client /
server setup) or the stand alone puppet apply application.

If you''re looking to get the value from a managed node and then use in
manifests on the master, you''ll need to use a custom fact.

If you''re looking to use the value in a resource you''re
managing
you''ll likely want to build it into a custom type and provider.
> Here is the background of my problem. I have 40 puppet clients and one
> master. The password of each user expires after 90 days. Instead of
> changing their password manually on 40 different servers by logging
> into each server,each user will have to change his/her password on the
> puppet server only and Puppet will replicate the hash value on each
> puppet client. Obviously I will never know the user''s password and
am
> not interested in replicating the root password. NIS and LDAP are not
> an option.
For this use case a custom function that reads the file will work
fine.  You could even use generate() and a shell one-liner.

Are you running into a standard filesystem permissions issue?
/etc/shadow is locked down pretty hard and the Puppet Master usually
runs with lower privileges using a service account.

-- 
Jeff McCune

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Since it''s the shell redirection that Puppet seems not to like, why not
wrap the commands in a shell script and use generate on that?
On Jan 29, 2012 6:18 PM, "Olivier" <ofranmar@gmail.com> wrote:
>  and then lookup the hash in the /etc/shadow file
> > or use the mkpasswd utility (with which I am not familiar)
> >
> > Once you have the hashed value of your desired clear text password
> > you can copy&paste that in the user definition.
> >
> > -Stefan
> >
>
> your answer is just the text of my original question. So the question
> still stands: how do I get the hashed value from /etc/shadow?
>
> Here is the background of my problem. I have 40 puppet clients and one
> master. The password of each user expires after 90 days. Instead of
> changing their password manually on 40 different servers by logging
> into each server,each user will have to change his/her password on the
> puppet server only and Puppet will replicate the hash value on each
> puppet client. Obviously I will never know the user''s password and
am
> not interested in replicating the root password. NIS and LDAP are not
> an option.
>
> Thank you.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Olivier.
  here is what the password part of our user resources looks like.
The actual command is just a wrapper around finding the crypt and
returning something appropriate.

 password         => generate(''/site/bin/getups'',
''-u'', "$name"),

  Make sure the script you are calling with generate returns a shadow
entry without a trailing newline.   I would also make sure the script
never returns an empty string or any OS specific values that would
create a shell account without a password.

  As jeff mentioned you''ll run into some permissions problems so
you''ll need to either have an independent process dumping user/hashes
to file readable by the puppet user or allow puppet to read the shadow
file via sudo or something.


 HTH


On Jan 29, 8:20 pm, Aaron Grewell <aaron.grew...@gmail.com>
wrote:
> Since it''s the shell redirection that Puppet seems not to like,
why not
> wrap the commands in a shell script and use generate on that?
> On Jan 29, 2012 6:18 PM, "Olivier" <ofran...@gmail.com>
wrote:
>
>
>
>
>
>
>
> >  and then lookup the hash in the /etc/shadow file
> > > or use the mkpasswd utility (with which I am not familiar)
>
> > > Once you have the hashed value of your desired clear text
password
> > > you can copy&paste that in the user definition.
>
> > > -Stefan
>
> > your answer is just the text of my original question. So the question
> > still stands: how do I get the hashed value from /etc/shadow?
>
> > Here is the background of my problem. I have 40 puppet clients and one
> > master. The password of each user expires after 90 days. Instead of
> > changing their password manually on 40 different servers by logging
> > into each server,each user will have to change his/her password on the
> > puppet server only and Puppet will replicate the hash value on each
> > puppet client. Obviously I will never know the user''s
password and am
> > not interested in replicating the root password. NIS and LDAP are not
> > an option.
>
> > Thank you.
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
> > puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
> >http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hello

Thank you for the help and  this is what I ended up doing.

OLivier

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.