Removing root's password results in 'ruby-shadow not installed' error


#1

Hi,

I’m trying to write a recipe that will create a default user and
remove root’s password on an Ubuntu 10.04 box. Creating the user (with
password) works fine. However, when it hits this:

user “root” do
action :modify
password "*"
end

I get this traceback about ruby-shadow not being installed:
https://gist.github.com/954522

I’ve tried setting the root password to an actual hash but I get the
same error. Any help is greatly appreciated.

-J


#2

On Tue, May 3, 2011 at 5:36 PM, Jason J. W. Williams
jasonjwwilliams@gmail.com wrote:

I get this traceback about ruby-shadow not being installed:
https://gist.github.com/954522

You need the ruby-shadow library for modifying a user password. It
isn’t installed by the gems as a dependency because it is optional.

sudo gem install ruby-shadow

I’ve tried setting the root password to an actual hash but I get the
same error. Any help is greatly appreciated.

This should be a hash.

http://wiki.opscode.com/display/chef/Resources#Resources-User

Bryan


#3

From http://wiki.opscode.com/display/chef/Resources
"In order to use the “password” attribute in Chef 0.5.6, you must have
"ruby-shadow" installed. You can get this by installing the debian
package “libshadow-ruby1.8”."

Jay

On Tue, May 3, 2011 at 5:36 PM, Jason J. W. Williams
jasonjwwilliams@gmail.com wrote:

Hi,

I’m trying to write a recipe that will create a default user and
remove root’s password on an Ubuntu 10.04 box. Creating the user (with
password) works fine. However, when it hits this:

user “root” do
action :modify
password "*"
end

I get this traceback about ruby-shadow not being installed:
https://gist.github.com/954522

I’ve tried setting the root password to an actual hash but I get the
same error. Any help is greatly appreciated.

-J


#4

‘Gem install ruby-shadow’ on Ruby 1.8. On 1.9 its trickier. Check the
branch at github under user apalmblad- it builds and installs fine on an
ubuntu system with Ruby 1.9 and build-essentials.
On May 3, 2011 8:36 PM, “Jason J. W. Williams” jasonjwwilliams@gmail.com
wrote:

Hi,

I’m trying to write a recipe that will create a default user and
remove root’s password on an Ubuntu 10.04 box. Creating the user (with
password) works fine. However, when it hits this:

user “root” do
action :modify
password "*"
end

I get this traceback about ruby-shadow not being installed:
https://gist.github.com/954522

I’ve tried setting the root password to an actual hash but I get the
same error. Any help is greatly appreciated.

-J


#5

On Tue, May 3, 2011 at 5:36 PM, Jason J. W. Williams
jasonjwwilliams@gmail.com wrote:

user “root” do
action :modify
password "*"
end

Also, there’s a “lock” action.

http://wiki.opscode.com/display/chef/Resources#Resources-User

Bryan


#6

Hi Bryan,

You need the ruby-shadow library for modifying a user password. It
isn’t installed by the gems as a dependency because it is optional.

Actually I do this already in the recipe at the beginning, just not
included in that snippet:

gem_package “ruby-shadow” do
action :install
end

This should be a hash.

Since I want to remove the password how do you do a hash of nothing?
:wink: Setting it ‘*’ was a guess that it was just setting the password
field in /etc/shadow directly.

-J


#7

On Tue, May 3, 2011 at 5:51 PM, Jason J. W. Williams
jasonjwwilliams@gmail.com wrote:

gem_package “ruby-shadow” do
action :install
end

Does this error happen on a second run?

Are you installing from debs or gems?

Since I want to remove the password how do you do a hash of nothing?
:wink: Setting it ‘*’ was a guess that it was just setting the password
field in /etc/shadow directly.

Use “action :lock” which I failed to mention at first.

Bryan


#8

Does this error happen on a second run?

Creating the “test-user” account with a password specified does not
throw the error. Only modifying the “root” account afterwards.

Are you installing from debs or gems?

Using gem_package to force installation from gems.

Use “action :lock” which I failed to mention at first.

:lock will set the shadow password field to “*”?

-J


#9

On Tue, May 3, 2011 at 6:16 PM, Jason J. W. Williams
jasonjwwilliams@gmail.com wrote:

Are you installing from debs or gems?

Using gem_package to force installation from gems.

Are you install Chef from gems or debs?

Use “action :lock” which I failed to mention at first.

:lock will set the shadow password field to “*”?

This depends on your platform. On Linux, the account lock feature adds
an “!” to the beginning of the password field. The user can no longer
log in using this password. This does allow you to later unlock the
account and return to the previous password. On Linux, chef utilizes
"usermod -L" to lock an account, which acts this way.

I suppose you could set the password to “*” using the password
attribute. Since we’re normally writing directly to this field through
the shadow library, that may work.

Please keep in mind that neither of these options prevent login to an
account on Linux, they only prohibit login using a password. Often
people disable root login via ssh in the sshd_config and delete other
users when they are no longer needed. Alternately you could expire the
account (chage -E 1 user)

Bryan


#10

Are you install Chef from gems or debs?

Debs.

I suppose you could set the password to “*” using the password
attribute. Since we’re normally writing directly to this field through
the shadow library, that may work.

Setting the password attribute to “*” is what appears to trigger the
issue. Locking the account works fine though.

Please keep in mind that neither of these options prevent login to an
account on Linux, they only prohibit login using a password. Often
people disable root login via ssh in the sshd_config and delete other
users when they are no longer needed. Alternately you could expire the
account (chage -E 1 user)

Root login is also disabled in sshd_config. The goal is to prevent
login with a password to the root account. If a privileged user
becomes root that’s acceptable. Just getting rid of direct
password-based login to the account.

Thank you for your help.

-J


#11

On 4 May 2011 01:46, Bryan McLellan btm@loftninjas.org wrote:

On Tue, May 3, 2011 at 5:36 PM, Jason J. W. Williams
jasonjwwilliams@gmail.com wrote:

user “root” do
action :modify
password "*"
end

Also, there’s a “lock” action.

You should note that locking the account and setting the hash to ‘
are quite different. For example if you are using ssh key logins you
can allow a user to access that has no usable password (i.e. hash of
’) but if you lock the account the user will not be permitted to
login.

I suppose you could set the password to “*” using the password
attribute. Since we’re normally writing directly to this field through
the shadow library, that may work.

If you have the ruby shadow library installed the manipulation of the
hash does indeed work correctly, and leave the account enabled, but
with no usable password.

Kimball Johnson