I'm trying to create a user account using Chef 11, and am not sure how to calculate the password attribute's value. I've read the User Resource documentation http://docs.opscode.com/resource_user.html, specifically the section "Password Shadow Hash", and am still unsure what exactly to do.
This user is being created on an Ubuntu system, so do I use the openssl example they provided and pass the output of that command as the password attribute value?
openssl passwd -1 "theplaintextpassword"
Each time I run the command, however, the output is different. It also supports various options (-crypt, -1, -apr1), so which one do I use?
I've been looking at the unix passwd command help, which says it encrypts the value but doesn't indicate which method it uses. Help for shadow and crypt aren't shedding any light either.
For this example, data bags are overkill, I have a value I want to use for this account, and simply want to specify it using the password attribute.
Here's the user resource section:
user 'mytestuser' do
comment "Test User"
home "/home/mytestuser"
shell "/bin/bash"
supports :manage_home => true
password "what goes here?"
action :create
end
Update:
I've determined that the string you specify for the password attribute gets written directly into the user's /etc/shadow entry. I guess the remaining issue is determining what that file expects the value to be, and how it relates to configuring the user's password.
The key was seeing that the password attribute value is written directly to the /etc/shadow file. It was then a matter of reading the man pages for shadow and crypt and finally understanding (hopefully) how things fit together. See The Gory Details below, if you're interested in some background.
If you're ok with an MD5 hash of the password, use the openssl command to generate the encrypted string. The version I'm using doesn't appear to support SHA algorithms. Use openssl passwd --help to see which options are available to you.
openssl passwd -1 -salt "yoursaltphrase"
Password: <enter the password>
$1$yoursalt$fIque2U6AZ.YRAqOu5Eyo/
Now use that string in the recipe's password attribute:
user 'mytestuser' do
comment "Test User"
home "/home/mytestuser"
shell "/bin/bash"
supports :manage_home => true
password '$1$yoursalt$fIque2U6AZ.YRAqOu5Eyo/'
action :create
end
As for me, I ended up creating the test user manually, and then copied its encryption string from /etc/shadow as the password attribute value for the recipe.
From /etc/shadow, the second field after mytestuser: is the encrypted password.
mytestuser:THIS_IS_THE_FIELD_YOU_WANT:16063:0:99999:7:::
See man shadow and man crypt.
The Gory Details
Piecing things together from man pages and various user forums, here's what I've learned. Note that the term encrypted here actually means hashed, as I don't believe that passwords can actually be decrypted.
The passwd command encrypts the user's plain-text password and writes it to /etc/shadow.
/etc/shadow entries contain the user name and the encrypted password in one of various formats. The man page for "crypt" describes these formats, see its NOTES section.
The encrypted value has the format:
$id$salt$encrypted
Think of it as having two parts: a salt and the actual encrypted password.
The salt portion consists of two pieces:
The id can be one of the following, indicating the encryption algorithm used:
blank = DES (the default when no $id$ prefix is found)
1 = MD5
2a = Blowfish
5 = SHA-256
6 = SHA-512
The encrypted password length is fixed based on the encryption algorithm:
DES = 8 characters
MD5 = 22 characters
SHA-256 = 43 characters
SHA-512 = 86 characters
Blowfish = ???
You can use the openssl passwd command to generate various password hashes. It supports the options:
-crypt DES-based standard Unix password algorithm (default)
-1 MD5-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-salt string use provided salt
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With