Issue #12833 has been updated by Dustin Mitchell.
Ah, I stumbled across a case where I do need to do upgrades - a root user.
Even with your changes, I'm getting undefined method `string=' for nil:NilClass
at
def self.set_salted_sha512_pbkdf2(resource_name, field, value,
converted_hash_plist)
...
converted_hash_plist['SALTED-SHA512-PBKDF2'][field].string = \
value.unpack('a2'*(value.size/2)).collect { |i| i.hex.chr }.join
As far as I can tell, the converted_hash_plist is still in DOM format from the
XML conversion. Maybe it would make more sense to fully unpack that into a
simple hash?
----------------------------------------
Bug #12833: Password property for User type is broke in OS X 10.8
https://projects.puppetlabs.com/issues/12833#change-67751
Author: Gary Larizza
Status: In Topic Branch Pending Review
Priority: Normal
Assignee: Gary Larizza
Category: OSX
Target version:
Affected Puppet version: 3.0.0rc3
Keywords: password user mac mountain lion os x
Branch:
https://github.com/glarizza/puppet-1/tree/bug/master/12833_OSX_PBKDF2_UPDATE
Setting users passwords is broke in 10.8 due to the fact that Apple moved to
PBKDF2 passwords in 10.8:
<pre>
Garys-Mac:~ glarizza$ sudo puppet resource user glarizza
Password:
/Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:379:in
`get_password': undefined method `string' for nil:NilClass (NoMethodError)
from
/Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:199:in
`generate_attribute_hash'
from
/Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:235:in
`single_report'
from
/Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:76:in
`instances'
from
/Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in
`collect'
from
/Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in
`instances'
from /Library/Ruby/Site/1.8/puppet/type.rb:889:in `instances'
from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `collect'
from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `instances'
from /Library/Ruby/Site/1.8/puppet/indirector/resource/ral.rb:4:in
`find'
from /Library/Ruby/Site/1.8/puppet/indirector/indirection.rb:196:in
`find'
from /Library/Ruby/Site/1.8/puppet/application/resource.rb:222:in
`find_or_save_resources'
from /Library/Ruby/Site/1.8/puppet/application/resource.rb:144:in `main'
from /Library/Ruby/Site/1.8/puppet/application.rb:317:in `run_command'
from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run'
from /Library/Ruby/Site/1.8/puppet/application.rb:413:in `hook'
from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run'
from /Library/Ruby/Site/1.8/puppet/application.rb:404:in `exit_on_fail'
from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run'
from /Library/Ruby/Site/1.8/puppet/util/command_line.rb:69:in `execute'
from /usr/bin/puppet:4
</pre>
It's from this code (line 379 in
lib/puppet/provider/nameservice/directoryservice.rb):
<pre>
password_hash =
converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0]
</pre>
So, I'm trying to update Puppet to be able to handle/change the user's password
in 10.8 and I notice that the methodology I need to access/generate/change it
has changed from 10.7 to 10.8. Since our product uses Ruby, I'll be displaying
the steps in Ruby. In 10.7 I used this methodology to access the password:
<pre>
require 'facter/util/plist'
users_plist = Plist::parse_xml(`plutil -convert xml1 -o /dev/stdout
/var/db/dslocal/nodes/Default/users/brit_xml.plist`)
password_hash_plist = users_plist['ShadowHashData'][0].string
IO.popen('plutil -convert xml1 -o - -', mode='r+') do |io|
io.write password_hash_plist
io.close_write
@converted_plist = io.read
end
converted_hash_plist = Plist::parse_xml(@converted_plist)
password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0]
puts password_hash
</pre>
This is all well and good since the value of
converted_hash_plist['SALTED-SHA512'] was a StringIO object containing the
binary version of the salted sha512 password. In 10.8, all of the steps are
the same up to a point - it seems the value of converted_hash_plist is
different:
<pre>
>> pp converted_hash_plist
{"SALTED-SHA512-PBKDF2"=>
{"salt"=>#<StringIO:0x10f31e498>,
"entropy"=>#<StringIO:0x10f31e998>,
"iterations"=>15174}}
=> nil
</pre>
Indeed, this looks like a 128 byte PBKDF2 password (since the value of
converted_hash_plist['SALTED-SHA512-PBKDF2']['entropy'].string.unpack('H*').first
is 256 characters). This makes sense since it looks like Apple has dabbled in
PBKDF2 before http://people.cis.ksu.edu/~sakthi/src/data/filevault_sakthi.pdf.
Ruby does have a PBKDF2 gem (https://github.com/emerose/pbkdf2-ruby), but of
course there's no built-in method to handle passwords in this fashion.
Basically, the format has changed.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
