Hello,
I doubt str2saltedsha512 can be used to generate encrypted passwords, as the resulting string does not contain the id nor salt. pw_hash should work, although in the brief test I just did, it looks like a lower case 'sha-512' should be used. I think you should debug this issue a little more on the client system. Can you check the output (don't post it!) of 'getent shadow username'? It should consist of 9 colon separated fields, where the first one is the username and the second one the encrypted password. This encrypted password should start with $6$, the salt you've chosen, a third $ and finally the password hash. If this string looks OK, then you should check the system journal (which you can read with 'journalctl -e') for any errors during the login (attempt). Just to make sure the problem is not Puppet related, try to manually set a password for this user. -----Original message----- From: jmp242 <jp10...@gmail.com> Sent: Thursday 14th November 2019 18:33 To: Puppet Users <puppet-users@googlegroups.com> Subject: [Puppet Users] Managing a local users password with puppet on EL7 I'm not sure what's going on, but when I try and log in to XFCE using the local user account, I just get "Something went wrong". I've verified the password - but I wonder if I'm misunderstanding the puppet docs on the hashing, because it's obvious the password I have isn't working. My line creating the password is password =>Sensitive(str2saltedsha512($password)), On the plus side, the Sensitive() function works, but I wonder if the str2saltedsha512() is not the right form / function? Under Windows we always just used a string in puppet, but the docs imply under RHEL it wants that salted sha512 ... The relevant part seems to be: password (Property: This attribute represents concrete state on the target system.) The user’s password, in whatever encrypted format the local system requires. Consult your operating system’s documentation for acceptable password encryption formats and requirements. Mac OS X 10.5 and 10.6, and some older Linux distributions, use salted SHA1 hashes. You can use Puppet’s built-in sha1 function to generate a salted SHA1 hash from a password. Mac OS X 10.7 (Lion), and many recent Linux distributions, use salted SHA512 hashes. The Puppet Labs stdlib module contains a str2saltedsha512 function which can generate password hashes for these operating systems. This post (re RHEL6.3 though) implies the puppet documentation is just wrong, or we have old modules? https://stackoverflow.com/questions/19114328/managing-a-user-password-for-linux-in-puppet I then tried: password => pw_hash('password','SHA-512','mysalt'), Which also doesn't seem to work. What am I missing here? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com <mailto:puppet-users+unsubscr...@googlegroups.com> . To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/9ef3af13-aecc-44b0-afa5-55dc0aeeb53e%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/zarafa.5dce67bc.5e0e.4adbce39185a5aae%40anjie.dontpanic.nl.
