Hi,
As an update to my question, I think that I may have answered it.
Ubuntu 14.04 only accepts /etc/shadow compatible passwords so passwords generated using an MD5 algorithm weren’t accepted on my Vagrant box (I had a strange error of useradd: invalid field '$1$In9NKSDS$9FIGx4T.aOWq6CZfkkWkO). I had to generate the password using mkpassword so in my recipe instead of using %x(openssl passwd -1 “#{plain_pass}”), I would instead use %x(mkpasswd -m sha512) and ensure that I installed whois package as part of my recipe on the Ubuntu box (This will install mkpasswd on your ubuntu box).
You can now do a su svc_goagent and use London2014 (in my case decrypted password) and you will be authenticated.
Regards
Sent from iCloud
On Mar 05, 2015, at 02:13 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,
I’m still new to Chef and have the following question.
I’m testing my user creation recipe using Vagrant and Chef Solo and now that I have successfully created a user on my UNIX box, how would I then test that this user can login?
I have done the following so far:-
- created the user and set the password
- when i look in the /etc/shadow file on my UNIX box, I see svc_goagent:London2014:16499:0:99999:7::: so I can see that the password passed in with the user resource waas created on the box (should i see the clear text password(London2014) or the MD5 encrypted one)?
- When I log onto Vagrant using vagrant ssh and do a su svc_goagent(my created user) and type in my password(London2014) then I get an authentication failure.
What is the correct way of testing that this new user svc_goagent can login?
Many thanks
Angela
Sent from iCloud
On Mar 04, 2015, at 06:59 AM, Jeff Byrnes jeff@evertrue.com wrote:
Oops! Thanks for the catch, Fabian. Apparently I was the one making copy pasta
–
Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628
On Wed, Mar 4, 2015 at 9:30 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hi Jeff,
Thanks very much!
Exactly what I was looking for.
Regards
Sent from iCloud
On Mar 04, 2015, at 06:26 AM, Jeff Byrnes jeff@evertrue.com wrote:
Angela,
Almost! From the looks of it, that’s an encrypted data bag, which you’ve stored on your Chef Server (unless you’re using Chef Solo, in which case this is different entirely).
Assuming this is the svc_goagent
item in the users
data bag, here’s how I would do it:
In Chef 12:
plain_pass = data_bag_item(‘users’, ‘svc_goagent’)[‘password’]
Chef 11 is a bit less nice:
plain_pass = Chef::EncryptedDataBagItem.load(‘users’, ‘svr_goagent’)[‘password’]
Then…
encrypted_pass = openssl passwd -l "#{plain_pass}"
user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password encrypted_pass
end
Mind, by the way, that the the flag for openssl passwd is a lowercase “L”, not the numeral 1.
Take advantage of Chef’s own mechanisms as much as you can; lots of very smart folks have done lots of great work to make life easier for us.
–
Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628
On March 4, 2015 at 9:05:33 AM, ANGELA EBIRIM (aebirim@icloud.com) wrote:
Hi Jeff,
Thanks for the responses so far…
Your reply is along the line of what I’m trying to do.
so my code would be:-
clever = ‘{
“id”: “svc_goagent”,
“password”: {
“encrypted_data”: “ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”,
“iv”: “PfWTKqKoc3OxO8WxTnW7Zg==\n”,
“version”: 1,
“cipher”: “aes-256-cbc”
}
}’
parsed = JSON.parse(clever)
x = parsed[“password”]
new_pass = %x(openssl passwd -1 “#{x}”)
user ‘svc_goagent’ do
supports :manage_home => true
comment 'Go agent user’
uid 2333
gid 2000
home '/home/svc_goagent’
shell '/bin/bash’
password {"#{new_pass}"}
end
Is that correct?
Sent from iCloud
On Mar 04, 2015, at 05:45 AM, Jeff Byrnes jeff@evertrue.com wrote:
Might even be able to have Ruby shell out to generate that:
user ‘foo’ do
action :create
…
password { openssl passwd -l 'plaintextpassword'
}
end
You would want, I think, to not actually have the plain text password right there; I’d suggest perhaps using an encrypted data bag for the actual value there.
Lastly though; why use passwords at all? Why not use SSH keys? Far simpler to manage…
–
Jeff Byrnes
@thejeffbyrnes
Lead DevOps Engineer
EverTrue
704.516.4628
On March 4, 2015 at 8:27:33 AM, Fabien Delpierre (fabien.delpierre@gmail.com) wrote:
Hello,
I’ve never seen this syntax so I’m not sure it’s supported. It’s definitely not in the docs for Chef’s user resource at https://docs.chef.io/resource_user.html.
The correct method is to obtain the password’s shadow hash and use that in your recipe.
$ openssl passwd -1 "plaintextpassword"
That will return something like: $1$hLPHf35Y$.6m81pCpLfHrW/py5ee1Y.
Put that in your code after password, like so:
user “foo” do
action :create
…
password "$1$hLPHf35Y$.6m81pCpLfPHW/py5ee1Y."
end
Hope this helps.
Fabien
On Wed, Mar 4, 2015 at 7:36 AM, ANGELA EBIRIM aebirim@icloud.com wrote:
Hello everyone,
I’d appreciate some assistance.
I’m trying to create a user on a UNIX box with the following code:-
user “svc_goagent” do
action :create
comment "go agent"
uid 1234
gid 2000
home "home/svc_goagent"
shell "/bin/bash"
password “{“encrypted_data”=>“ro21vM1nle78CTBLSNyr40e2tM9VZiiSfbinDAvwZpKov3r9gokq6jStDeAH\nsyRs\n”, “iv”=>“PfWTKqKoc3OxO8WxTnW7Zg==\n”, “version”=>1, “cipher”=>“aes-256-cbc”}”
supports :manage_home => true
end
My problem is when I put this into a recipe and then do a chef run, I get errors that prevent the user from being created. Can someone please tell me what is the code to pass an encrypted hash as a password for a new user?
Thanks
Angela
Sent from iCloud