Thursday, May 15, 2014

Puppet: Generating password hashes

I became across the need of changing the Password of one of our Users on most all of our Servers, so we decided to build something in Puppet:.

For this task, we will use the Type USER and also the Type SCHEDULE wich is part of the Metaparameters. See:
With this "schedule" metaparameter, our Puppet Module will change the Password of the User once a day.
To generate a password hash to use within the Puppet Modules Manifests files we are going use the mkpasswd utility, which is available in the "whois" package (and it works!). In this case we will use Puppet’s "generate" function to call "mkpassword" and return the generated the hash version of the password.

So, our Manifest will look something like this:


schedule { 'everyday':
        period  => daily,
        range   => "8 - 18",
        repeat  => 1,

user { 'backup':
        name    => backup,
        ensure  => present,
        password => generate('/bin/sh', '-c', "mkpasswd -m sha-512 ${pass} | tr -d '\n'"),
        schedule => 'everyday',

This is an easy and effective way to make it work.

The Puppet Documentation says that we can use the built-in "sha1" function to generate a hash from a password, but sadly didn't work for me (maybe I'm to dumb to make it work), so I researched a bit and I found the Solution above.

As always, I hope this can help any lost soul around there. :)