Creating a user on a UNIX box with an encrypted hash for a password

Hello everyone,

I’d appreciate some assistance.

I’m trying to create a user on a UNIX box with the following code:-

user “svc_goagent” do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password “{“encrypted_data”=>“ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”, “iv”=>“PfWTKqKoc3OxO8WxTnW7Zg==\n”, “version”=>1, “cipher”=>“aes-256-cbc”}”

supports :manage_home => true	

end

My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud

Hello,
I've never seen this syntax so I'm not sure it's supported. It's definitely
not in the docs for Chef's user resource at
user Resource.
The correct method is to obtain the password's shadow hash and use that in
your recipe.

$ openssl passwd -1 "plaintextpassword"

That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:
user "foo" do
action :create
...
password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end

Hope this helps.
Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:

Hello everyone,

I'd appreciate some assistance.

I'm trying to create a user on a UNIX box with the following code:-

user "svc_goagent" do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password
"{"encrypted_data"=>"ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n",
"iv"=>"PfWTKqKoc3OxO8WxTnW7Zg==\n", "version"=>1, "cipher"=>"aes-256-cbc"}"

supports :manage_home => true

end

My problem is when I put this into a recipe and then do a chef run, I get
errors that prevent the user from being created. Can someone please tell me
what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud

Might even be able to have Ruby shell out to generate that:

user ‘foo’ do
action :create

password { openssl passwd -l 'plaintextpassword' }
end

You would want, I think, to not actually have the plain text password right there; I’d suggest perhaps using an encrypted data bag for the actual value there.

Lastly though; why use passwords at all? Why not use SSH keys? Far simpler to manage…


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (fabien.delpierre@gmail.com) wrote:

Hello,
I’ve never seen this syntax so I’m not sure it’s supported. It’s definitely not in the docs for Chef’s user resource at https://docs.chef.io/resource_user.html.
The correct method is to obtain the password’s shadow hash and use that in your recipe.
$ openssl passwd -1 "plaintextpassword"
That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:
user “foo” do
action :create

password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end

Hope this helps.
Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,

I’d appreciate some assistance.

I’m trying to create a user on a UNIX box with the following code:-

user “svc_goagent” do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password “{“encrypted_data”=>“ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”, “iv”=>“PfWTKqKoc3OxO8WxTnW7Zg==\n”, “version”=>1, “cipher”=>“aes-256-cbc”}”

supports :manage_home => true

end

My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud

Hi Jeff,

Thanks for the responses so far…

Your reply is along the line of what I’m trying to do.

so my code would be:-

clever = ‘{
“id”: “svc_goagent”,
“password”: {
“encrypted_data”: “ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”,
“iv”: “PfWTKqKoc3OxO8WxTnW7Zg==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”
}
}’

parsed = JSON.parse(clever)

x = parsed[“password”]

new_pass = %x(openssl passwd -1 “#{x}”)

user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password {"#{new_pass}"}
end

Is that correct?
Sent from iCloud

On Mar 04, 2015, at 05:45 AM, Jeff Byrnes jeff@evertrue.com wrote:

Might even be able to have Ruby shell out to generate that:

user ‘foo’ do
action :create

password { openssl passwd -l 'plaintextpassword' }
end

You would want, I think, to not actually have the plain text password right there; I’d suggest perhaps using an encrypted data bag for the actual value there.

Lastly though; why use passwords at all? Why not use SSH keys? Far simpler to manage…


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (fabien.delpierre@gmail.com) wrote:

Hello,
I’ve never seen this syntax so I’m not sure it’s supported. It’s definitely not in the docs for Chef’s user resource at https://docs.chef.io/resource_user.html.
The correct method is to obtain the password’s shadow hash and use that in your recipe.
$ openssl passwd -1 "plaintextpassword"
That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:
user “foo” do
action :create

password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end

Hope this helps.
Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,

I’d appreciate some assistance.

I’m trying to create a user on a UNIX box with the following code:-

user “svc_goagent” do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password “{“encrypted_data”=>“ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”, “iv”=>“PfWTKqKoc3OxO8WxTnW7Zg==\n”, “version”=>1, “cipher”=>“aes-256-cbc”}”

supports :manage_home => true

end

My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud

It seems to me like you will have a problem with that code.
The password bit of that JSON you're parsing is an encrypted string; it
must be decrypted before you can pass it to that new_pass variable,
otherwise new_pass will be a shadow hash of
"ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n" as
if that were the plain text password, so it will be all wrong.

On Wed, Mar 4, 2015 at 9:03 AM, ANGELA EBIRIM aebirim@icloud.com wrote:

Hi Jeff,

Thanks for the responses so far..

Your reply is along the line of what I'm trying to do.

so my code would be:-

clever = '{
"id": "svc_goagent",
"password": {
"encrypted_data":
"ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n",
"iv": "PfWTKqKoc3OxO8WxTnW7Zg==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}'

parsed = JSON.parse(clever)

x = parsed["password"]

new_pass = %x(openssl passwd -1 "#{x}")

user 'svc_goagent' do
supports :manage_home => true
comment 'Go agent user'
uid 2333
gid 2000
home '/home/svc_goagent'
shell '/bin/bash'
password {"#{new_pass}"}
end

Is that correct?

Sent from iCloud

On Mar 04, 2015, at 05:45 AM, Jeff Byrnes jeff@evertrue.com wrote:

Might even be able to have Ruby shell out to generate that:

user 'foo' do
action :create

password { openssl passwd -l 'plaintextpassword' }
end

You would want, I think, to not actually have the plain text password
right there; I’d suggest perhaps using an encrypted data bag for the actual
value there.

Lastly though; why use passwords at all? Why not use SSH keys? Far simpler
to manage…

--
Jeff Byrnes
@thejeffbyrnes http://twitter.com/thejeffbyrnes
Lead DevOps Engineer
EverTrue http://www.evertrue.com/
704.516.4628

On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (
fabien.delpierre@gmail.com) wrote:

Hello,
I've never seen this syntax so I'm not sure it's supported. It's
definitely not in the docs for Chef's user resource at
user Resource.
The correct method is to obtain the password's shadow hash and use that in
your recipe.

$ openssl passwd -1 "plaintextpassword"

That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:
user "foo" do
action :create
...
password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end

Hope this helps.
Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:

Hello everyone,

I'd appreciate some assistance.

I'm trying to create a user on a UNIX box with the following code:-

user "svc_goagent" do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password
"{"encrypted_data"=>"ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n",
"iv"=>"PfWTKqKoc3OxO8WxTnW7Zg==\n", "version"=>1, "cipher"=>"aes-256-cbc"}"

supports :manage_home => true

end

My problem is when I put this into a recipe and then do a chef run, I get
errors that prevent the user from being created. Can someone please tell me
what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud

Angela,

Almost! From the looks of it, that’s an encrypted data bag, which you’ve stored on your Chef Server (unless you’re using Chef Solo, in which case this is different entirely).

Assuming this is the svc_goagent item in the users data bag, here’s how I would do it:

In Chef 12:

plain_pass = data_bag_item(‘users’, ‘svc_goagent’)[‘password’]

Chef 11 is a bit less nice:

plain_pass = Chef::EncryptedDataBagItem.load(‘users’, ‘svr_goagent’)[‘password’]

Then…

encrypted_pass = openssl passwd -l "#{plain_pass}"

user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password encrypted_pass
end

Mind, by the way, that the the flag for openssl passwd is a lowercase “L”, not the numeral 1.

Take advantage of Chef’s own mechanisms as much as you can; lots of very smart folks have done lots of great work to make life easier for us.


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 9:05:33 AM, ANGELA EBIRIM (aebirim@icloud.com) wrote:

Hi Jeff,

Thanks for the responses so far…

Your reply is along the line of what I’m trying to do.

so my code would be:-

clever = ‘{
“id”: “svc_goagent”,
“password”: {
“encrypted_data”: “ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”,
“iv”: “PfWTKqKoc3OxO8WxTnW7Zg==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”
}
}’

parsed = JSON.parse(clever)

x = parsed[“password”]

new_pass = %x(openssl passwd -1 “#{x}”)

user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password {"#{new_pass}"}
end

Is that correct?

Sent from iCloud

On Mar 04, 2015, at 05:45 AM, Jeff Byrnes jeff@evertrue.com wrote:

Might even be able to have Ruby shell out to generate that:

user ‘foo’ do
action :create

password { openssl passwd -l 'plaintextpassword' }
end

You would want, I think, to not actually have the plain text password right there; I’d suggest perhaps using an encrypted data bag for the actual value there.

Lastly though; why use passwords at all? Why not use SSH keys? Far simpler to manage…


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (fabien.delpierre@gmail.com) wrote:

Hello,
I’ve never seen this syntax so I’m not sure it’s supported. It’s definitely not in the docs for Chef’s user resource at https://docs.chef.io/resource_user.html.
The correct method is to obtain the password’s shadow hash and use that in your recipe.
$ openssl passwd -1 "plaintextpassword"
That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:
user “foo” do
action :create

password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end

Hope this helps.
Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,

I’d appreciate some assistance.

I’m trying to create a user on a UNIX box with the following code:-

user “svc_goagent” do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password “{“encrypted_data”=>“ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”, “iv”=>“PfWTKqKoc3OxO8WxTnW7Zg==\n”, “version”=>1, “cipher”=>“aes-256-cbc”}”

supports :manage_home => true

end

My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud

Hi Jeff,

Thanks very much!

Exactly what I was looking for.

Regards
Sent from iCloud

On Mar 04, 2015, at 06:26 AM, Jeff Byrnes jeff@evertrue.com wrote:

Angela,

Almost! From the looks of it, that’s an encrypted data bag, which you’ve stored on your Chef Server (unless you’re using Chef Solo, in which case this is different entirely).

Assuming this is the svc_goagent item in the users data bag, here’s how I would do it:

In Chef 12:

plain_pass = data_bag_item(‘users’, ‘svc_goagent’)[‘password’]

Chef 11 is a bit less nice:

plain_pass = Chef::EncryptedDataBagItem.load(‘users’, ‘svr_goagent’)[‘password’]

Then…

encrypted_pass = openssl passwd -l "#{plain_pass}"

user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password encrypted_pass
end

Mind, by the way, that the the flag for openssl passwd is a lowercase “L”, not the numeral 1.

Take advantage of Chef’s own mechanisms as much as you can; lots of very smart folks have done lots of great work to make life easier for us.


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 9:05:33 AM, ANGELA EBIRIM (aebirim@icloud.com) wrote:

Hi Jeff,

Thanks for the responses so far…

Your reply is along the line of what I’m trying to do.

so my code would be:-

clever = ‘{
“id”: “svc_goagent”,
“password”: {
“encrypted_data”: “ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”,
“iv”: “PfWTKqKoc3OxO8WxTnW7Zg==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”
}
}’

parsed = JSON.parse(clever)

x = parsed[“password”]

new_pass = %x(openssl passwd -1 “#{x}”)

user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password {"#{new_pass}"}
end

Is that correct?
Sent from iCloud

On Mar 04, 2015, at 05:45 AM, Jeff Byrnes jeff@evertrue.com wrote:

Might even be able to have Ruby shell out to generate that:

user ‘foo’ do
action :create

password { openssl passwd -l 'plaintextpassword' }
end

You would want, I think, to not actually have the plain text password right there; I’d suggest perhaps using an encrypted data bag for the actual value there.

Lastly though; why use passwords at all? Why not use SSH keys? Far simpler to manage…


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (fabien.delpierre@gmail.com) wrote:

Hello,
I’ve never seen this syntax so I’m not sure it’s supported. It’s definitely not in the docs for Chef’s user resource at https://docs.chef.io/resource_user.html.
The correct method is to obtain the password’s shadow hash and use that in your recipe.
$ openssl passwd -1 "plaintextpassword"
That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:
user “foo” do
action :create

password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end

Hope this helps.
Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,

I’d appreciate some assistance.

I’m trying to create a user on a UNIX box with the following code:-

user “svc_goagent” do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password “{“encrypted_data”=>“ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”, “iv”=>“PfWTKqKoc3OxO8WxTnW7Zg==\n”, “version”=>1, “cipher”=>“aes-256-cbc”}”

supports :manage_home => true

end

My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud

Mind, by the way, that the the flag for openssl passwd is a lowercase “L”,
not the numeral 1.

It is the numeral 1, actually!

$ openssl passwd -l "test"
Usage: passwd [options] [passwords]
where options are
-crypt standard Unix password algorithm (default)
-1 MD5-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-salt string use provided salt
-in file read passwords from file
-stdin read passwords from stdin
-noverify never verify when reading password from terminal
-quiet no warnings
-table format output as table
-reverse switch table columns
$ openssl passwd -1 "test"
$1$HXMHTPhi$.A.Rtm.uUCSarTXFrY2wo1

On Wed, Mar 4, 2015 at 9:26 AM, Jeff Byrnes jeff@evertrue.com wrote:

Angela,

Almost! From the looks of it, that’s an encrypted data bag, which you’ve
stored on your Chef Server (unless you’re using Chef Solo, in which case
this is different entirely).

Assuming this is the svc_goagent item in the users data bag, here’s
how I would do it:

In Chef 12:

plain_pass = data_bag_item('users', 'svc_goagent')['password']

Chef 11 is a bit less nice:

plain_pass = Chef::EncryptedDataBagItem.load('users',
'svr_goagent')['password']

Then…

encrypted_pass = openssl passwd -l "#{plain_pass}"

user 'svc_goagent' do
supports :manage_home => true
comment 'Go agent user'
uid 2333
gid 2000
home '/home/svc_goagent'
shell '/bin/bash'
password encrypted_pass
end

Mind, by the way, that the the flag for openssl passwd is a lowercase “L”,
not the numeral 1.

Take advantage of Chef’s own mechanisms as much as you can; lots of very
smart folks have done lots of great work to make life easier for us.

--
Jeff Byrnes
@thejeffbyrnes http://twitter.com/thejeffbyrnes
Lead DevOps Engineer
EverTrue http://www.evertrue.com/
704.516.4628

On March 4, 2015 at 9:05:33 AM, ANGELA EBIRIM (aebirim@icloud.com) wrote:

Hi Jeff,

Thanks for the responses so far..

Your reply is along the line of what I'm trying to do.

so my code would be:-

clever = '{
"id": "svc_goagent",
"password": {
"encrypted_data":
"ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n",
"iv": "PfWTKqKoc3OxO8WxTnW7Zg==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}'

parsed = JSON.parse(clever)

x = parsed["password"]

new_pass = %x(openssl passwd -1 "#{x}")

user 'svc_goagent' do
supports :manage_home => true
comment 'Go agent user'
uid 2333
gid 2000
home '/home/svc_goagent'
shell '/bin/bash'
password {"#{new_pass}"}
end

Is that correct?

Sent from iCloud

On Mar 04, 2015, at 05:45 AM, Jeff Byrnes jeff@evertrue.com wrote:

Might even be able to have Ruby shell out to generate that:

user 'foo' do
action :create

password { openssl passwd -l 'plaintextpassword' }
end

You would want, I think, to not actually have the plain text password
right there; I’d suggest perhaps using an encrypted data bag for the actual
value there.

Lastly though; why use passwords at all? Why not use SSH keys? Far simpler
to manage…

--
Jeff Byrnes
@thejeffbyrnes http://twitter.com/thejeffbyrnes
Lead DevOps Engineer
EverTrue http://www.evertrue.com/
704.516.4628

On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (
fabien.delpierre@gmail.com) wrote:

Hello,

I've never seen this syntax so I'm not sure it's supported. It's
definitely not in the docs for Chef's user resource at
user Resource.
The correct method is to obtain the password's shadow hash and use that
in your recipe.

$ openssl passwd -1 "plaintextpassword"

That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:
user "foo" do
action :create
...
password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end

Hope this helps.
Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:

Hello everyone,

I'd appreciate some assistance.

I'm trying to create a user on a UNIX box with the following code:-

user "svc_goagent" do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password
"{"encrypted_data"=>"ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n",
"iv"=>"PfWTKqKoc3OxO8WxTnW7Zg==\n", "version"=>1, "cipher"=>"aes-256-cbc"}"

supports :manage_home => true

end

My problem is when I put this into a recipe and then do a chef run, I get
errors that prevent the user from being created. Can someone please tell me
what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud

Oops! Thanks for the catch, Fabian. Apparently I was the one making copy pasta :slight_smile:

--

Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer

EverTrue

704.516.4628

On Wed, Mar 4, 2015 at 9:30 AM, ANGELA EBIRIM aebirim@icloud.com wrote:

Hi Jeff,
Thanks very much!
Exactly what I was looking for.
Regards
Sent from iCloud
On Mar 04, 2015, at 06:26 AM, Jeff Byrnes jeff@evertrue.com wrote:
Angela,
Almost! From the looks of it, that’s an encrypted data bag, which you’ve stored on your Chef Server (unless you’re using Chef Solo, in which case this is different entirely).
Assuming this is the svc_goagent item in the users data bag, here’s how I would do it:
In Chef 12:
plain_pass = data_bag_item('users', 'svc_goagent')['password']
Chef 11 is a bit less nice:
plain_pass = Chef::EncryptedDataBagItem.load('users', 'svr_goagent')['password']
Then…
encrypted_pass = openssl passwd -l "#{plain_pass}"
user 'svc_goagent' do
supports :manage_home => true
comment 'Go agent user'
uid 2333
gid 2000
home '/home/svc_goagent'
shell '/bin/bash'
password encrypted_pass
end
Mind, by the way, that the the flag for openssl passwd is a lowercase “L”, not the numeral 1.
Take advantage of Chef’s own mechanisms as much as you can; lots of very smart folks have done lots of great work to make life easier for us.

Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628
On March 4, 2015 at 9:05:33 AM, ANGELA EBIRIM (aebirim@icloud.com) wrote:
Hi Jeff,
Thanks for the responses so far..
Your reply is along the line of what I'm trying to do.
so my code would be:-
clever = '{
"id": "svc_goagent",
"password": {
"encrypted_data": "ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n",
"iv": "PfWTKqKoc3OxO8WxTnW7Zg==\n",
"version": 1,
"cipher": "aes-256-cbc"
}
}'
parsed = JSON.parse(clever)
x = parsed["password"]
new_pass = %x(openssl passwd -1 "#{x}")
user 'svc_goagent' do
supports :manage_home => true
comment 'Go agent user'
uid 2333
gid 2000
home '/home/svc_goagent'
shell '/bin/bash'
password {"#{new_pass}"}
end
Is that correct?
Sent from iCloud
On Mar 04, 2015, at 05:45 AM, Jeff Byrnes jeff@evertrue.com wrote:
Might even be able to have Ruby shell out to generate that:
user 'foo' do
action :create

password { openssl passwd -l 'plaintextpassword' }
end
You would want, I think, to not actually have the plain text password right there; I’d suggest perhaps using an encrypted data bag for the actual value there.
Lastly though; why use passwords at all? Why not use SSH keys? Far simpler to manage…

Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628
On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (fabien.delpierre@gmail.com) wrote:
Hello,
I've never seen this syntax so I'm not sure it's supported. It's definitely not in the docs for Chef's user resource at user Resource.
The correct method is to obtain the password's shadow hash and use that in your recipe.
$ openssl passwd -1 "plaintextpassword"
That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.
Put that in your code after password, like so:
user "foo" do
action :create
...
password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end
Hope this helps.
Fabien
On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,
I'd appreciate some assistance.
I'm trying to create a user on a UNIX box with the following code:-
user "svc_goagent" do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password "{"encrypted_data"=>"ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n", "iv"=>"PfWTKqKoc3OxO8WxTnW7Zg==\n", "version"=>1, "cipher"=>"aes-256-cbc"}"
supports :manage_home => true
end
My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?
Thanks
Angela
Sent from iCloud

Hello everyone,

I’m still new to Chef and have the following question.

I’m testing my user creation recipe using Vagrant and Chef Solo and now that I have successfully created a user on my UNIX box, how would I then test that this user can login?

I have done the following so far:-

  1. created the user and set the password
  2. when i look in the /etc/shadow file on my UNIX box, I see svc_goagent:London2014:16499:0:99999:7::: so I can see that the password passed in with the user resource waas created on the box (should i see the clear text password(London2014) or the MD5 encrypted one)?
  3. When I log onto Vagrant using vagrant ssh and do a su svc_goagent(my created user) and type in my password(London2014) then I get an authentication failure.

What is the correct way of testing that this new user svc_goagent can login?

Many thanks

Angela

Sent from iCloud

On Mar 04, 2015, at 06:59 AM, Jeff Byrnes jeff@evertrue.com wrote:

Oops! Thanks for the catch, Fabian. Apparently I was the one making copy pasta :slight_smile:


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On Wed, Mar 4, 2015 at 9:30 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hi Jeff,

Thanks very much!

Exactly what I was looking for.

Regards
Sent from iCloud

On Mar 04, 2015, at 06:26 AM, Jeff Byrnes jeff@evertrue.com wrote:

Angela,

Almost! From the looks of it, that’s an encrypted data bag, which you’ve stored on your Chef Server (unless you’re using Chef Solo, in which case this is different entirely).

Assuming this is the svc_goagent item in the users data bag, here’s how I would do it:

In Chef 12:

plain_pass = data_bag_item(‘users’, ‘svc_goagent’)[‘password’]

Chef 11 is a bit less nice:

plain_pass = Chef::EncryptedDataBagItem.load(‘users’, ‘svr_goagent’)[‘password’]

Then…

encrypted_pass = openssl passwd -l "#{plain_pass}"

user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password encrypted_pass
end

Mind, by the way, that the the flag for openssl passwd is a lowercase “L”, not the numeral 1.

Take advantage of Chef’s own mechanisms as much as you can; lots of very smart folks have done lots of great work to make life easier for us.


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 9:05:33 AM, ANGELA EBIRIM (aebirim@icloud.com) wrote:

Hi Jeff,

Thanks for the responses so far…

Your reply is along the line of what I’m trying to do.

so my code would be:-

clever = ‘{
“id”: “svc_goagent”,
“password”: {
“encrypted_data”: “ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”,
“iv”: “PfWTKqKoc3OxO8WxTnW7Zg==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”
}
}’

parsed = JSON.parse(clever)

x = parsed[“password”]

new_pass = %x(openssl passwd -1 “#{x}”)

user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password {"#{new_pass}"}
end

Is that correct?
Sent from iCloud

On Mar 04, 2015, at 05:45 AM, Jeff Byrnes jeff@evertrue.com wrote:

Might even be able to have Ruby shell out to generate that:

user ‘foo’ do
action :create

password { openssl passwd -l 'plaintextpassword' }
end

You would want, I think, to not actually have the plain text password right there; I’d suggest perhaps using an encrypted data bag for the actual value there.

Lastly though; why use passwords at all? Why not use SSH keys? Far simpler to manage…


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (fabien.delpierre@gmail.com) wrote:

Hello,
I’ve never seen this syntax so I’m not sure it’s supported. It’s definitely not in the docs for Chef’s user resource at https://docs.chef.io/resource_user.html.
The correct method is to obtain the password’s shadow hash and use that in your recipe.
$ openssl passwd -1 "plaintextpassword"
That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:
user “foo” do
action :create

password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end

Hope this helps.
Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,

I’d appreciate some assistance.

I’m trying to create a user on a UNIX box with the following code:-

user “svc_goagent” do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password “{“encrypted_data”=>“ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”, “iv”=>“PfWTKqKoc3OxO8WxTnW7Zg==\n”, “version”=>1, “cipher”=>“aes-256-cbc”}”

supports :manage_home => true

end

My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud

Hi,

As an update to my question, I think that I may have answered it.

Ubuntu 14.04 only accepts /etc/shadow compatible passwords so passwords generated using an MD5 algorithm weren’t accepted on my Vagrant box (I had a strange error of useradd: invalid field '$1$In9NKSDS$9FIGx4T.aOWq6CZfkkWkO). I had to generate the password using mkpassword so in my recipe instead of using %x(openssl passwd -1 “#{plain_pass}”), I would instead use %x(mkpasswd -m sha512) and ensure that I installed whois package as part of my recipe on the Ubuntu box (This will install mkpasswd on your ubuntu box).

You can now do a su svc_goagent and use London2014 (in my case decrypted password) and you will be authenticated.

Regards

Sent from iCloud

On Mar 05, 2015, at 02:13 AM, ANGELA EBIRIM aebirim@icloud.com wrote:

Hello everyone,

I’m still new to Chef and have the following question.

I’m testing my user creation recipe using Vagrant and Chef Solo and now that I have successfully created a user on my UNIX box, how would I then test that this user can login?

I have done the following so far:-

  1. created the user and set the password
  2. when i look in the /etc/shadow file on my UNIX box, I see svc_goagent:London2014:16499:0:99999:7::: so I can see that the password passed in with the user resource waas created on the box (should i see the clear text password(London2014) or the MD5 encrypted one)?
  3. When I log onto Vagrant using vagrant ssh and do a su svc_goagent(my created user) and type in my password(London2014) then I get an authentication failure.

What is the correct way of testing that this new user svc_goagent can login?

Many thanks

Angela

Sent from iCloud

On Mar 04, 2015, at 06:59 AM, Jeff Byrnes jeff@evertrue.com wrote:

Oops! Thanks for the catch, Fabian. Apparently I was the one making copy pasta :slight_smile:


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On Wed, Mar 4, 2015 at 9:30 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hi Jeff,

Thanks very much!

Exactly what I was looking for.

Regards
Sent from iCloud

On Mar 04, 2015, at 06:26 AM, Jeff Byrnes jeff@evertrue.com wrote:

Angela,

Almost! From the looks of it, that’s an encrypted data bag, which you’ve stored on your Chef Server (unless you’re using Chef Solo, in which case this is different entirely).

Assuming this is the svc_goagent item in the users data bag, here’s how I would do it:

In Chef 12:

plain_pass = data_bag_item(‘users’, ‘svc_goagent’)[‘password’]

Chef 11 is a bit less nice:

plain_pass = Chef::EncryptedDataBagItem.load(‘users’, ‘svr_goagent’)[‘password’]

Then…

encrypted_pass = openssl passwd -l "#{plain_pass}"

user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password encrypted_pass
end

Mind, by the way, that the the flag for openssl passwd is a lowercase “L”, not the numeral 1.

Take advantage of Chef’s own mechanisms as much as you can; lots of very smart folks have done lots of great work to make life easier for us.


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 9:05:33 AM, ANGELA EBIRIM (aebirim@icloud.com) wrote:

Hi Jeff,

Thanks for the responses so far…

Your reply is along the line of what I’m trying to do.

so my code would be:-

clever = ‘{
“id”: “svc_goagent”,
“password”: {
“encrypted_data”: “ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”,
“iv”: “PfWTKqKoc3OxO8WxTnW7Zg==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”
}
}’

parsed = JSON.parse(clever)

x = parsed[“password”]

new_pass = %x(openssl passwd -1 “#{x}”)

user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password {"#{new_pass}"}
end

Is that correct?
Sent from iCloud

On Mar 04, 2015, at 05:45 AM, Jeff Byrnes jeff@evertrue.com wrote:

Might even be able to have Ruby shell out to generate that:

user ‘foo’ do
action :create

password { openssl passwd -l 'plaintextpassword' }
end

You would want, I think, to not actually have the plain text password right there; I’d suggest perhaps using an encrypted data bag for the actual value there.

Lastly though; why use passwords at all? Why not use SSH keys? Far simpler to manage…


Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628

On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (fabien.delpierre@gmail.com) wrote:

Hello,
I’ve never seen this syntax so I’m not sure it’s supported. It’s definitely not in the docs for Chef’s user resource at https://docs.chef.io/resource_user.html.
The correct method is to obtain the password’s shadow hash and use that in your recipe.
$ openssl passwd -1 "plaintextpassword"
That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.

Put that in your code after password, like so:
user “foo” do
action :create

password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end

Hope this helps.
Fabien

On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,

I’d appreciate some assistance.

I’m trying to create a user on a UNIX box with the following code:-

user “svc_goagent” do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password “{“encrypted_data”=>“ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”, “iv”=>“PfWTKqKoc3OxO8WxTnW7Zg==\n”, “version”=>1, “cipher”=>“aes-256-cbc”}”

supports :manage_home => true

end

My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?

Thanks

Angela

Sent from iCloud