It's probably ok to reuse the same salt; it's just to defeat
pre-computation attacks.
But if you really don't want to, you could:
- Use the username as the salt. That'll be static, so idempotent, and
different for every user. Not as great as random salt, but better than no
salt.
- Use a secrets server like Vault, and use the Hiera-Vault plugin to
retrieve a password. (Just make sure you test first. I tested this about
a year ago, and at the time the Hiera Vault plugin had a bug that
eventually exhausted all the connections into Vault.)
- Don't actually use Puppet to set a password. If this is your own
user, just manage your password yourself with the `passwd` command.
On Friday, November 15, 2019 at 10:23:26 AM UTC-5, Bart-Jan Vrielink wrote:
>
> Of course this is not idempotent. Mmm, security is difficult.
>
>
> -----Original message-----
> *From:* Bart-Jan Vrielink <bar...@vrielink.net <javascript:>>
> *Sent:* Friday 15th November 2019 16:18
> *To:* puppet...@googlegroups.com <javascript:>
> *Subject:* RE: [Puppet Users] Managing a local users password with puppet
> on EL7
>
> Hello,
>
>
> Glad to hear that you got it to work.
>
> Before you put this into production, please make sure you don't re-use the
> same salt value. Try to randomize it. Something like
> seeded_rand_string(16,strftime("%s%L")) may work.
>
>
> -----Original message-----
> *From:* jmp242 <jp1...@gmail.com <javascript:>>
> *Sent:* Friday 15th November 2019 15:31
> *To:* Puppet Users <puppet...@googlegroups.com <javascript:>>
> *Subject:* Re: [Puppet Users] Managing a local users password with puppet
> on EL7
>
> I figured it out. Thanks for the help. It's because I wasn't doing I
>
> password => pw_hash(*'password'*, 'SHA-512', 'mysalt'),
>
> I was doing
>
> Sensitive(pw_hash(*'$password'*, 'SHA-512', 'oursalt')),
>
> And because I used single quotes, it wasn't actually getting the parameter
> / variable, but the literal $password. Remove the quotes entirely because
> it's just a variable, and it works!
>
> And this is why you can't always just copy -> paste -> edit your stuff in!.
>
> On Friday, November 15, 2019 at 8:55:57 AM UTC-5, Bart-Jan Vrielink wrote:
>>
>> Hello,
>>
>>
>> I'm still puzzled by why this is not working on your system. The
>> following works for me on a Centos7 machine:
>>
>>
>> user { 'testuser':
>> ensure => 'present',
>> password => pw_hash('password', 'SHA-512', 'mysalt'),
>> }
>>
>>
>> -----Original message-----
>> *From:* jmp242 <jp1...@gmail.com
>> <#zarafa.5dcec2e1.049b.5200bd245c927dad@anjie.dontpanic.nl_>>
>> *Sent:* Friday 15th November 2019 14:41
>> *To:* Puppet Users <puppet...@googlegroups.com
>> <#zarafa.5dcec2e1.049b.5200bd245c927dad@anjie.dontpanic.nl_>>
>> *Subject:* Re: [Puppet Users] Managing a local users password with
>> puppet on EL7
>>
>> So, I set the password manually with passwd and got an entirely different
>> hash than when I use the pw_hash function. The salt is obviously different
>> as well, but the rest of /etc/shadow entry is the same. ssh user@localhost
>> works with the password when I set manually with passwd, and does not work
>> with pw_hash - not surprisingly.
>>
>> I tried lowercase sha-512, and got the same hash as with uppercase
>> SHA-512. Both methods (working manual passwd, and non working pw_hash)
>> start with $6$ which implies a sha-512 hash from the docs, so I think
>> pw_hash is just broken for EL7. Which means the user resource is broken.
>>
>> I guess temporarily, I'll just set the hash as a string and generate it
>> with passwd, and see if that works - but it's obviously not ideal.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet...@googlegroups.com
>> <#zarafa.5dcec2e1.049b.5200bd245c927dad@anjie.dontpanic.nl_>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/64419ef7-6d5b-4028-8548-194ea8fae8c7%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/puppet-users/64419ef7-6d5b-4028-8548-194ea8fae8c7%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet...@googlegroups.com <javascript:>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/609eade7-8f51-4881-a7a5-9aaeda2571c3%40googlegroups.com
>
> <https://groups.google.com/d/msgid/puppet-users/609eade7-8f51-4881-a7a5-9aaeda2571c3%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet...@googlegroups.com <javascript:>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/zarafa.5dcec1b6.0474.3c55f75b3c65528f%40anjie.dontpanic.nl
>
> <https://groups.google.com/d/msgid/puppet-users/zarafa.5dcec1b6.0474.3c55f75b3c65528f%40anjie.dontpanic.nl?utm_medium=email&utm_source=footer>
> .
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/aef852aa-8a9c-4535-aaaa-c7f3ebbabce5%40googlegroups.com.
