Issue #11293 has been reported by Gary Larizza.
----------------------------------------
Bug #11293: Password parameter for the User resource is broke in OS X version
10.7
https://projects.puppetlabs.com/issues/11293
Author: Gary Larizza
Status: Unreviewed
Priority: Normal
Assignee:
Category:
Target version:
Affected Puppet version:
Keywords:
Branch:
As of 10.7, OS X uses a SHA512 hash for their passwords. In the past, they
used SHA1 hashes, which are supported with the user resource. As it stands
right now, the password parameter is broken. Doing a sudo puppet resource user
<username> results in the following:
<pre>
users root $ sudo puppet resource user demouser
user { 'demouser':
ensure => 'present',
comment => 'Demo User',
gid => '20',
home => '/Users/demouser',
shell => '/bin/bash',
uid => '504',
}
</pre>
Accessing the hash in 10.7 requires the following steps:
* Grabbing the user's plist file in
/var/db/dslocal/nodes/Default/users/username.plist
* Converting it to XML (since it's a binary plist)
plutil -convert xml1 username.plist
* Inspecting the XML file, getting the data string from the ShadowHashData key,
and base64-decoding it
echo "Data from ShadowHashData Key" | base64 -d > ShadowHashData
* The file we created in the previous step is ACTUALLY A BINARY PLIST that
needs to be converted to XML
plutil -convert xml1 ShadowHashData
* In that XML file, there's a key named SALTED-SHA512. Grab the data string
from that key and base64-decode it
echo "Data from SALTED-SHA512 Key" | base64 -d > hashfile
* Finally, reveal the hash using the xxd tool (which I presume takes hex and
converts to a string? Or vice versa?) and cutting the first portion (which
should be the salt)
xxd -p -c 256 hashfile | cut -c 9-
Because the password was stored as SHA1 in versions 10.4 - 10.6 and SHA512 in
10.7, there doesn't seem to be a way that we can have a universal password
attribute for the user resource (unless we store the password in plaintext,
which is not ideal).
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
