FAQ
Hey all,

My objective is to set the root password on the puppet master and then have
root module mine the hash from the shadow file. It seems like it should
work, but I get the error "Parameter password failed: Passwords cannot
include ':' at". I am not sure where it is seeing the ":".

Any ideas?

The manifest looks like this:
class root::linuxroot {
user { 'root':
ensure => 'present',
comment => 'root',
uid => '0',
gid => '0',
home => '/root',
password => generate("/pathtoscript/getlinuxhash.sh"),
shell => '/bin/bash',
}
}

And the getlinuxhash.sh looks like this:
#!/bin/sh
HASHPASS=$(/bin/grep root /etc/shadow | /bin/awk -F ":" '{ print $2 }')
echo "'"$HASHPASS"'"

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Christopher Wood at Jun 22, 2012 at 10:13 pm
    inline
    On Fri, Jun 22, 2012 at 02:42:54PM -0700, Rob B. wrote:
    Hey all,

    My objective is to set the root password on the puppet master and then
    have root module mine the hash from the shadow file. It seems like it
    should work, but I get the error "Parameter password failed: Passwords
    cannot include ':' at". I am not sure where it is seeing the ":".

    Any ideas?

    The manifest looks like this:
    class root::linuxroot {
    user { 'root':
    ensure           => 'present',
    comment          => 'root',
    uid              => '0',
    gid              => '0',
    home             => '/root',
    password         => generate("/pathtoscript/getlinuxhash.sh"),
    shell            => '/bin/bash',
    }
    }

    And the getlinuxhash.sh looks like this:
    #!/bin/sh
    HASHPASS=$(/bin/grep root /etc/shadow | /bin/awk -F ":" '{ print $2 }')
    echo "'"$HASHPASS"'"
    # facter | grep operatingsystem
    operatingsystem => Debian
    operatingsystemrelease => 6.0.5
    # /bin/grep root /etc/shadow | /bin/awk -F ":" '{ print $2 }'
    bash: /bin/awk: No such file or directory

    You're probably fine with not using the full paths there, unless you are either on a single system type and/or templating getlinuxhash.sh.

    "'"$HASHPASS"'"

    That is likely interpreted as:

    "'" <--- a string
    $HASHPASS <--- substituted
    "'" <--- a string

    When I run your whole script without the full paths:

    # cat /tmp/22
    #!/bin/sh
    HASHPASS=$(grep root /etc/shadow | awk -F ":" '{ print $2 }')
    echo "'"$HASHPASS"'"
    # bash /tmp/22
    '$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9bASyGcFTxomYSalcryFp5QsKrNJSOmPsG4NNNOZRSZS4S3aRwMD3iza03ORDTxlaq0'

    Since the password hash should start with $6$, it looks like you're returning the quotes too, which is an incorrect password hash.

    # cat /tmp/1.pp
    file { '/tmp/cw1':
    content => generate('/tmp/22')
    }
    # puppet apply /tmp/1.pp
    notice: /Stage[main]//File[/tmp/cw1]/ensure: defined content as '{md5}3f4302ca8a8c24301c265fdc5345f341'
    # cat /tmp/cw1
    '$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9BASyGcFTxomYSal4ryFp5AsKrNJSOmPsG4NNNOZRSZh4S3aRwMD3iza03ORDTelaq0'

    Possibly try this for your generator? The -n is because I'm not certain if puppet will keep the trailing newline as part of the hash.

    #!/bin/sh
    HASHPASS=$(grep root /etc/shadow | awk -F: '{print $2}')
    echo -n "$HASHPASS"

    Also, why mine the password rather than provision it from your puppet manifests better hiera? That way you get more than one root password.
    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    [1]https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.

    References

    Visible links
    1. https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Rob B. at Jun 25, 2012 at 1:52 pm
    Hey Christopher,

    Thanks for the reply. I will give this a try this morning. As for your
    question about why we want to mine it, we want to change the root password
    in out password manager software, have that change the root password on the
    puppet master, and then have puppet distribute the hash everywhere. It
    makes it easy to keep a single root for all the systems we want it to
    manage.

    Thanks!
    Rob
    On Friday, June 22, 2012 6:13:19 PM UTC-4, Christopher Wood wrote:

    inline
    On Fri, Jun 22, 2012 at 02:42:54PM -0700, Rob B. wrote:
    Hey all,

    My objective is to set the root password on the puppet master and then
    have root module mine the hash from the shadow file. It seems like it
    should work, but I get the error "Parameter password failed: Passwords
    cannot include ':' at". I am not sure where it is seeing the ":".

    Any ideas?

    The manifest looks like this:
    class root::linuxroot {
    user { 'root':
    ensure => 'present',
    comment => 'root',
    uid => '0',
    gid => '0',
    home => '/root',
    password => generate("/pathtoscript/getlinuxhash.sh"),
    shell => '/bin/bash',
    }
    }

    And the getlinuxhash.sh looks like this:
    #!/bin/sh
    HASHPASS=$(/bin/grep root /etc/shadow | /bin/awk -F ":" '{ print $2 }')
    echo "'"$HASHPASS"'"
    # facter | grep operatingsystem
    operatingsystem => Debian
    operatingsystemrelease => 6.0.5
    # /bin/grep root /etc/shadow | /bin/awk -F ":" '{ print $2 }'
    bash: /bin/awk: No such file or directory

    You're probably fine with not using the full paths there, unless you are
    either on a single system type and/or templating getlinuxhash.sh.

    "'"$HASHPASS"'"

    That is likely interpreted as:

    "'" <--- a string
    $HASHPASS <--- substituted
    "'" <--- a string

    When I run your whole script without the full paths:

    # cat /tmp/22
    #!/bin/sh
    HASHPASS=$(grep root /etc/shadow | awk -F ":" '{ print $2 }')
    echo "'"$HASHPASS"'"
    # bash /tmp/22
    '$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9bASyGcFTxomYSalcryFp5QsKrNJSOmPsG4NNNOZRSZS4S3aRwMD3iza03ORDTxlaq0'


    Since the password hash should start with $6$, it looks like you're
    returning the quotes too, which is an incorrect password hash.

    # cat /tmp/1.pp
    file { '/tmp/cw1':
    content => generate('/tmp/22')
    }
    # puppet apply /tmp/1.pp
    notice: /Stage[main]//File[/tmp/cw1]/ensure: defined content as
    '{md5}3f4302ca8a8c24301c265fdc5345f341'
    # cat /tmp/cw1
    '$6$Fpa0v1.a$2WyfaKkiZS7ALdjtXbU9BASyGcFTxomYSal4ryFp5AsKrNJSOmPsG4NNNOZRSZh4S3aRwMD3iza03ORDTelaq0'


    Possibly try this for your generator? The -n is because I'm not certain if
    puppet will keep the trailing newline as part of the hash.

    #!/bin/sh
    HASHPASS=$(grep root /etc/shadow | awk -F: '{print $2}')
    echo -n "$HASHPASS"

    Also, why mine the password rather than provision it from your puppet
    manifests better hiera? That way you get more than one root password.
    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    [1]https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.

    References

    Visible links
    1. https://groups.google.com/d/msg/puppet-users/-/Q2wcMCPiKBUJ
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/c8T9SpVwjOcJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • R.I.Pienaar at Jun 25, 2012 at 1:53 pm

    ----- Original Message -----
    From: "Rob B." <rbencale@gmail.com>
    To: puppet-users@googlegroups.com
    Sent: Monday, June 25, 2012 2:52:51 PM
    Subject: Re: [Puppet Users] Using generate() to mine a shadow file hash


    Hey Christopher,

    Thanks for the reply. I will give this a try this morning. As for
    your question about why we want to mine it, we want to change the
    root password in out password manager software, have that change the
    root password on the puppet master, and then have puppet distribute
    the hash everywhere. It makes it easy to keep a single root for all
    the systems we want it to manage.
    quite sure this wont work, the puppet master does not run as root and so
    your generate wont have access to read shadow file.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • R.I.Pienaar at Jun 25, 2012 at 1:54 pm

    ----- Original Message -----
    From: "R.I.Pienaar" <rip@devco.net>
    To: puppet-users@googlegroups.com
    Sent: Monday, June 25, 2012 2:53:45 PM
    Subject: Re: [Puppet Users] Using generate() to mine a shadow file hash


    ----- Original Message -----
    From: "Rob B." <rbencale@gmail.com>
    To: puppet-users@googlegroups.com
    Sent: Monday, June 25, 2012 2:52:51 PM
    Subject: Re: [Puppet Users] Using generate() to mine a shadow file
    hash


    Hey Christopher,

    Thanks for the reply. I will give this a try this morning. As for
    your question about why we want to mine it, we want to change the
    root password in out password manager software, have that change
    the
    root password on the puppet master, and then have puppet distribute
    the hash everywhere. It makes it easy to keep a single root for all
    the systems we want it to manage.
    quite sure this wont work, the puppet master does not run as root and
    so your generate wont have access to read shadow file.

    you could use sudo of course, but it doesnt seem like a great idea :)

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Felix Frank at Jun 25, 2012 at 2:12 pm

    quite sure this wont work, the puppet master does not run as root and
    so your generate wont have access to read shadow file.
    you could use sudo of course, but it doesnt seem like a great idea :)
    Sounds right enough. Though if you're being generous with the hash of
    that one root password for each last of your boxen (this strikes me at
    not the most secure of concepts), you can go all the way and make it a
    custom fact that the agent *on* your puppet master (or any other node
    you declare seed for the root password) presents to the puppet master
    for redistribution.

    Also, some wear leveling of your precios grep binary (either in
    generate+sudo or a fact):

    awk -F: '$1 == "root" { print $2 }' /etc/shadow

    ;-)

    (Also, protection from various possible occurences of the string "root"
    in your shadow file.)

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Rob B. at Jun 25, 2012 at 2:17 pm
    I suppose I could use a cron to pull out the hash and put it into a file to
    be read by puppet.
    On Monday, June 25, 2012 9:54:49 AM UTC-4, R.I. Pienaar wrote:


    ----- Original Message -----
    From: "R.I.Pienaar" <rip@devco.net>
    To: puppet-users@googlegroups.com
    Sent: Monday, June 25, 2012 2:53:45 PM
    Subject: Re: [Puppet Users] Using generate() to mine a shadow file hash


    ----- Original Message -----
    From: "Rob B." <rbencale@gmail.com>
    To: puppet-users@googlegroups.com
    Sent: Monday, June 25, 2012 2:52:51 PM
    Subject: Re: [Puppet Users] Using generate() to mine a shadow file
    hash


    Hey Christopher,

    Thanks for the reply. I will give this a try this morning. As for
    your question about why we want to mine it, we want to change the
    root password in out password manager software, have that change
    the
    root password on the puppet master, and then have puppet distribute
    the hash everywhere. It makes it easy to keep a single root for all
    the systems we want it to manage.
    quite sure this wont work, the puppet master does not run as root and
    so your generate wont have access to read shadow file.

    you could use sudo of course, but it doesnt seem like a great idea :)
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/VjsMV8RwvTsJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • John Lyman at Jun 26, 2012 at 1:16 am
    This would be fairly easy from cron by running 'puppet resource user root >
    some.pp'.

    It would be even better if your password manager could trigger the command
    to run only when the password has changed.
    On Monday, June 25, 2012 10:17:20 AM UTC-4, Rob B. wrote:

    I suppose I could use a cron to pull out the hash and put it into a file
    to be read by puppet.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/i1EhG8PI6y4J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Robert Bencale at Jun 26, 2012 at 1:30 am
    Hey John,

    It doesnt give the password section.

    Thanks!
    Rob
    On Mon, Jun 25, 2012 at 9:16 PM, John Lyman wrote:

    This would be fairly easy from cron by running 'puppet resource user root
    some.pp'.
    It would be even better if your password manager could trigger the command
    to run only when the password has changed.

    On Monday, June 25, 2012 10:17:20 AM UTC-4, Rob B. wrote:

    I suppose I could use a cron to pull out the hash and put it into a file
    to be read by puppet.
    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/i1EhG8PI6y4J.

    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • John Lyman at Jun 26, 2012 at 10:22 pm
    It does for me, but I am running as root. Maybe that is the difference.
    Or maybe your user provider doesn't manage_passwords?
    On Monday, June 25, 2012 9:30:39 PM UTC-4, Rob B. wrote:

    Hey John,

    It doesnt give the password section.


    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/h3xVcEwXq5cJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Robert Bencale at Jun 27, 2012 at 4:40 pm
    hmmm I am also running as root, but do get the password hash. Any ideas?
    On Tue, Jun 26, 2012 at 6:22 PM, John Lyman wrote:

    It does for me, but I am running as root. Maybe that is the difference.
    Or maybe your user provider doesn't manage_passwords?

    On Monday, June 25, 2012 9:30:39 PM UTC-4, Rob B. wrote:

    Hey John,

    It doesnt give the password section.


    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/h3xVcEwXq5cJ.

    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Felix Frank at Jun 27, 2012 at 4:44 pm

    On 06/27/2012 06:40 PM, Robert Bencale wrote:
    hmmm I am also running as root, but do get the password hash. Any ideas?
    Yes, actually. Do you have librubyshadow installed?

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Robert Bencale at Jun 27, 2012 at 4:55 pm
    I have the rpm ruby-shadow-1.4.1-7.el5 installed.
    On Wed, Jun 27, 2012 at 12:44 PM, Felix Frank wrote:
    On 06/27/2012 06:40 PM, Robert Bencale wrote:
    hmmm I am also running as root, but do get the password hash. Any ideas?
    Yes, actually. Do you have librubyshadow installed?

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 22, '12 at 9:45p
activeJun 27, '12 at 4:55p
posts13
users5
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase