Angela,
Almost! From the looks of it, that’s an encrypted data bag, which you’ve stored on your Chef Server (unless you’re using Chef Solo, in which case this is different entirely).
Assuming this is the `svc_goagent` item in the `users` data bag, here’s how I would do it:
In Chef 12:
plain_pass = data_bag_item('users', 'svc_goagent')['password']
Chef 11 is a bit less nice:
plain_pass = Chef::EncryptedDataBagItem.load('users', 'svr_goagent')['password']
Then…
encrypted_pass = `openssl passwd -l "#{plain_pass}"`
user 'svc_goagent' do supports :manage_home => true comment 'Go agent user' uid 2333 gid 2000 home '/home/svc_goagent' shell '/bin/bash' password encrypted_pass end
Mind, by the way, that the the flag for openssl passwd is a lowercase “L”, not the numeral 1.
Take advantage of Chef’s own mechanisms as much as you can; lots of very smart folks have done lots of great work to make life easier for us.
On March 4, 2015 at 9:05:33 AM, ANGELA EBIRIM (
">
) wrote:
Hi Jeff,
Thanks for the responses so far..
Your reply is along the line of what I'm trying to do.
so my code would be:-
clever = '{
"id": "svc_goagent",
"password": {
"encrypted_data":
"ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n",
"iv": "PfWTKqKoc3OxO8WxTnW7Zg==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}'
parsed = JSON.parse(clever)
x = parsed["password"]
new_pass = %x(openssl passwd -1 "#{x}")
user 'svc_goagent' do
supports :manage_home => true
comment 'Go agent user'
uid 2333
gid 2000
home '/home/svc_goagent'
shell '/bin/bash'
password {"#{new_pass}"}
end
Is that correct?
On Mar 04, 2015, at 05:45 AM, Jeff Byrnes <
>
wrote:
Might even be able to have Ruby shell out to generate that:
user 'foo'
do
action
:create
…
password { `openssl passwd -l 'plaintextpassword'` }
end
You would want, I think, to not actually have the plain text
password right there; I’d suggest perhaps using an encrypted data
bag for the actual value there.
Lastly though; why use passwords at all? Why not use SSH
keys? Far simpler to manage…
On March 4,
2015 at 8:27:33 AM, Fabien Delpierre (
" data-mce-href="mailto:
">
)
wrote:
The correct method is to obtain the password's shadow hash and use
that in your recipe.
$ openssl passwd -1 "plaintextpassword"
That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.
Put that in your code after password, like
so:
user "foo"
do
action :create
...
password
"$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end
|