Issue #11293 has been updated by Matthaus Litteken. Status changed from Unreviewed to Accepted
---------------------------------------- Bug #11293: Password parameter for the User resource is broke in OS X version 10.7 https://projects.puppetlabs.com/issues/11293 Author: Gary Larizza Status: Accepted Priority: Normal Assignee: Category: Target version: Affected Puppet version: Keywords: Branch: As of 10.7, OS X uses a SHA512 hash for their passwords. In the past, they used SHA1 hashes, which are supported with the user resource. As it stands right now, the password parameter is broken. Doing a sudo puppet resource user <username> results in the following: <pre> users root $ sudo puppet resource user demouser user { 'demouser': ensure => 'present', comment => 'Demo User', gid => '20', home => '/Users/demouser', shell => '/bin/bash', uid => '504', } </pre> Accessing the hash in 10.7 requires the following steps: * Grabbing the user's plist file in /var/db/dslocal/nodes/Default/users/username.plist * Converting it to XML (since it's a binary plist) plutil -convert xml1 username.plist * Inspecting the XML file, getting the data string from the ShadowHashData key, and base64-decoding it echo "Data from ShadowHashData Key" | base64 -d > ShadowHashData * The file we created in the previous step is ACTUALLY A BINARY PLIST that needs to be converted to XML plutil -convert xml1 ShadowHashData * In that XML file, there's a key named SALTED-SHA512. Grab the data string from that key and base64-decode it echo "Data from SALTED-SHA512 Key" | base64 -d > hashfile * Finally, reveal the hash using the xxd tool (which I presume takes hex and converts to a string? Or vice versa?) and cutting the first portion (which should be the salt) xxd -p -c 256 hashfile | cut -c 9- Because the password was stored as SHA1 in versions 10.4 - 10.6 and SHA512 in 10.7, there doesn't seem to be a way that we can have a universal password attribute for the user resource (unless we store the password in plaintext, which is not ideal). -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
