Issue #11293 has been updated by Jeff McCune. Status changed from Accepted to Tests Insufficient
# Reverted # Reverted this from 2.7.x to un-break the build. <pre> commit c751e01802d6eb7eea3dbe600bee0784943b0a30 Author: Jeff McCune <[email protected]> Date: Thu Jan 5 17:25:25 2012 -0800 Revert "Access user password hash in OS X 10.7" This reverts commit 11b8c5ad3fb99263c8484fecc767b69cd80d3156. This needs to be reverted because I missed the use of backticks (``), effectively %x{}, in the original pull request and this is causing a big problem for the CI tests on non Mac OS X systems that don't have plutil. Gary and I are going to re factor the pull request to make the command calls easier to mock out on non Mac OS X platforms. We can't do this quickly tonight though. Updated information will be in ticket #11293 </pre> ---------------------------------------- Bug #11293: Password parameter for the User resource is broke in OS X version 10.7 https://projects.puppetlabs.com/issues/11293 Author: Gary Larizza Status: Tests Insufficient Priority: Normal Assignee: Gary Larizza Category: OSX Target version: 2.7.10 Affected Puppet version: 2.7.9 Keywords: Branch: https://github.com/glarizza/puppet-1/tree/bug/2.7.x/11293_users_osx As of 10.7, OS X uses a SHA512 hash for their passwords. In the past, they used SHA1 hashes, which are supported with the user resource. As it stands right now, the password parameter is broken. Doing a sudo puppet resource user <username> results in the following: <pre> users root $ sudo puppet resource user demouser user { 'demouser': ensure => 'present', comment => 'Demo User', gid => '20', home => '/Users/demouser', shell => '/bin/bash', uid => '504', } </pre> Accessing the hash in 10.7 requires the following steps: * Grabbing the user's plist file in /var/db/dslocal/nodes/Default/users/username.plist * Converting it to XML (since it's a binary plist) plutil -convert xml1 username.plist * Inspecting the XML file, getting the data string from the ShadowHashData key, and base64-decoding it echo "Data from ShadowHashData Key" | base64 -d > ShadowHashData * The file we created in the previous step is ACTUALLY A BINARY PLIST that needs to be converted to XML plutil -convert xml1 ShadowHashData * In that XML file, there's a key named SALTED-SHA512. Grab the data string from that key and base64-decode it echo "Data from SALTED-SHA512 Key" | base64 -d > hashfile * Finally, reveal the hash using the xxd tool (which I presume takes hex and converts to a string? Or vice versa?) and cutting the first portion (which should be the salt) xxd -p -c 256 hashfile | cut -c 9- Because the password was stored as SHA1 in versions 10.4 - 10.6 and SHA512 in 10.7, there doesn't seem to be a way that we can have a universal password attribute for the user resource (unless we store the password in plaintext, which is not ideal). -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
