Is there a way to script creation of a user on a Chef server without including a cleartext password?


#1

As near as I can tell from the documentation of chef-server-ctl user-create, the command requires a cleartext password as one of its arguments. However, in scripting setup of a Chef server, I’d really like to avoid at all costs including anything like:

chef-server-ctl user-create jsmith John Smith jsmith@foo.com acleartextpasswordinmygitrepo
Is there some alternate solution that exists in Chef, or do I need to choose between manual intervention, some external workaround, or the above ugliness?


#2

You could use open SSL and a lit bit of bash to get this working (Maybe not the most elegant way, but still possible)
This is taken from SuperUser and may be worth some consideration.

Generate a 2048-bit RSA key and store it in key.txt. May be worth bumping it up to 4096

openssl genrsa -out key.txt 2048

Encrypt “hello world” using the RSA key in key.txt

echo "hello world" | openssl rsautl -inkey key.txt -encrypt >output.bin

Decrypt the message and output to variable for the script… Would need to be in the bash script you are writing

openssl rsautl -inkey key.txt -decrypt < $pass

You could then use a shell command with a variable $pass for the password value. The info for the user creation command is found here.

chef-server-ctl user-create foouser Foo User foo.user@foobar.com $pass (options)

I have not test this out, so good luck :smiley: