1

I'm using Puppet to manage user passwords. (Yes, I know LDAP is better, but I've been told from the higher-ups to use Puppet.) I have this class that, when run as root, changes bob's password to "bobs_new_password". It should ideally prompt for a new password when bob runs it, but I should be able to add that functionality in later. When I run it as root with puppet agent --test, it says all goes well and notifies me of the new hash, so I know it's been set correctly in the /etc/shadow file. Right now, I'm only working with test users on VMs, so I'm not worried about the security risk of notifying the hash; that line will obviously be taken out for the working version of the code. What I have so far is this:

class pwdchange ($newpwd = 'bobs_new_password', $targetuser = "bob") {
  $temp = inline_template("<%= Digest::MD5.digest(scope.lookupvar('newpwd'))%>")
   $hashtypeidentifier = '$1$' #'$1' for MD5, '$6' for sha512.
   user {"$targetuser":
     ensure   => present,
     password => "${hashtypeidentifier}${temp}",
  }
   notify {"${temp}":}
}

However, when I go to ssh into the VM as bob, neither the old password or the new password are accepted. What am I doing wrong? Why is it not accepting either password, and what can I do to fix it?

Seri
  • 133
  • 7

1 Answers1

3

MD5 passwords in the shadow file are of the format $1$salt$hash, I don't see any salt in your code.

See also How to generate a /etc/shadow compatible password for Ubuntu 10.04?

See also, Ruby's crypt() function that will generate the complete shadow file string for you.

Community
  • 1
Chris S
  • 77,337
  • 11
  • 120
  • 212
  • Right, the salt. Can I use the same salt for every user, or does each user need a randomly generated salt? – Seri Jul 23 '13 at 14:20
  • It kind of defeats the purpose of salt if they're all the same, but I don't think it will stop you either. – Chris S Jul 23 '13 at 14:21