[chef] Re: Re: Re: Re: Creating a user on a UNIX box with an encrypted hash for a password

[ANGELA EBIRIM < >]

Hi,

As an update to my question, I think that I may have answered it.

Ubuntu 14.04 only accepts /etc/shadow compatible passwords so passwords generated using an MD5 algorithm weren't accepted on my Vagrant box (I had a strange error of useradd: invalid field '$1$In9NKSDS$9FIGx4T.aOWq6CZfkkWkO). I had to generate the password using mkpassword so in my recipe instead of using %x(openssl passwd -1 "#{plain_pass}"), I would instead use %x(mkpasswd -m sha512) and ensure that I installed whois package as part of my recipe on the Ubuntu box (This will install mkpasswd on your ubuntu box).

You can now do a su  svc_goagent and use London2014 (in my case decrypted password) and you will be authenticated.

Regards

Sent from iCloud

On Mar 05, 2015, at 02:13 AM, ANGELA EBIRIM < > wrote:

Hello everyone,

I'm still new to Chef and have the following question.

I'm testing my user creation recipe using Vagrant and Chef Solo and now that I have successfully created a user on my UNIX box, how would I then test that this user can login?

I have done the following so far:-

1) created the user and set the password

2) when i look in the /etc/shadow file on my UNIX box, I see svc_goagent:London2014:16499:0:99999:7::: so I can see that the password passed in with the user resource waas created on the box (should i see the clear text password(London2014) or the MD5 encrypted one)?

3) When I log onto Vagrant using vagrant ssh and do a su svc_goagent(my created user) and type in my password(London2014) then I get an authentication failure. 

What is the correct way of testing that this new user svc_goagent can login?

Many thanks

Angela

Sent from iCloud

On Mar 04, 2015, at 06:59 AM, Jeff Byrnes < > wrote:

Oops! Thanks for the catch, Fabian. Apparently I was the one making copy pasta :)

-- 

Jeff Byrnes

@thejeffbyrnes

Lead DevOps Engineer

EverTrue

704.516.4628

On Wed, Mar 4, 2015 at 9:30 AM, ANGELA EBIRIM < " data-mce-href="mailto: "> > wrote:

Hi Jeff,

Thanks very much!

Exactly what I was looking for.

Regards

Sent from iCloud

On Mar 04, 2015, at 06:26 AM, Jeff Byrnes < > wrote:

Angela,

Almost! From the looks of it, that’s an encrypted data bag, which you’ve stored on your Chef Server (unless you’re using Chef Solo, in which case this is different entirely).

Assuming this is the `svc_goagent` item in the `users` data bag, here’s how I would do it:

In Chef 12:

plain_pass = data_bag_item('users', 'svc_goagent')['password']

Chef 11 is a bit less nice:

plain_pass = Chef::EncryptedDataBagItem.load('users', 'svr_goagent')['password']

Then…

encrypted_pass = `openssl passwd -l "#{plain_pass}"`

user 'svc_goagent' do

  supports :manage_home => true

  comment  'Go agent user'

  uid 2333

  gid 2000

  home '/home/svc_goagent'

  shell '/bin/bash'

  password encrypted_pass

end

Mind, by the way, that the the flag for openssl passwd is a lowercase “L”, not the numeral 1.

Take advantage of Chef’s own mechanisms as much as you can; lots of very smart folks have done lots of great work to make life easier for us.

-- 

Jeff Byrnes
@thejeffbyrnes

Lead DevOps Engineer

EverTrue

704.516.4628

On March 4, 2015 at 9:05:33 AM, ANGELA EBIRIM ( " data-mce-href="mailto: "> ) wrote:

Hi Jeff,

Thanks for the responses so far..

Your reply is along the line of what I'm trying to do.

so my code would be:-

clever = '{

"id": "svc_goagent",

"password": {

"encrypted_data": "ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n",

"iv": "PfWTKqKoc3OxO8WxTnW7Zg==\n",

"version": 1,

"cipher": "aes-256-cbc"

}

}'

parsed = JSON.parse(clever)

x = parsed["password"]

new_pass = %x(openssl passwd -1 "#{x}")

user 'svc_goagent' do

  supports :manage_home => true

  comment  'Go agent user'

  uid 2333

  gid 2000

  home '/home/svc_goagent'

  shell '/bin/bash'

  password {"#{new_pass}"}

end

Is that correct?

Sent from iCloud

On Mar 04, 2015, at 05:45 AM, Jeff Byrnes < > wrote:

Might even be able to have Ruby shell out to generate that:

user 'foo' do

  action :create

  …

  password { `openssl passwd -l 'plaintextpassword'` }

end

You would want, I think, to not actually have the plain text password right there; I’d suggest perhaps using an encrypted data bag for the actual value there.

Lastly though; why use passwords at all? Why not use SSH keys? Far simpler to manage…

-- 

Jeff Byrnes
@thejeffbyrnes

Lead DevOps Engineer

EverTrue

704.516.4628

On March 4, 2015 at 8:27:33 AM, Fabien Delpierre ( " data-mce-href="mailto: "> ) wrote:

Hello,

I've never seen this syntax so I'm not sure it's supported. It's definitely not in the docs for Chef's user resource at https://docs.chef.io/resource_user.html.

The correct method is to obtain the password's shadow hash and use that in your recipe.

$ openssl passwd -1 "plaintextpassword"

That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:

user "foo" do

  action :create
  ...

  password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."

end

Hope this helps.

Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM < " data-mce-href="mailto: "> > wrote:

Hello everyone,

I'd appreciate some assistance.

I'm trying to create a user on a UNIX box with the following code:-

 user "svc_goagent" do 

   action :create

   comment "go agent"

  uid 1234

   gid 2000

   home "home/svc_goagent"

shell "/bin/bash"

   password  "{"encrypted_data"=>"ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n", "iv"=>"PfWTKqKoc3OxO8WxTnW7Zg==\n", "version"=>1, "cipher"=>"aes-256-cbc"}"

supports :manage_home => true

 end

My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud