Issue #12833 has been updated by Gary Larizza.
Yep, I neglected to take into account that the directoryservice provider also handles group behavior. I've closed the pull request for now and am putting the work into a total rewrite of the user/group provider on OS X <https://github.com/glarizza/puppet-1/blob/feature/master/osx_dscl_providers/lib/puppet/provider/user/osx.rb>. I have a webinar on the 28th, so I'm sprinting to try and get it done before then. I'll keep you updated on how it goes (for now, no, that provider isn't currently handling passwords...yet). ---------------------------------------- Bug #12833: Password property for User type is broke in OS X 10.8 https://projects.puppetlabs.com/issues/12833#change-69044 Author: Gary Larizza Status: In Topic Branch Pending Review Priority: Normal Assignee: Gary Larizza Category: OSX Target version: 3.x Affected Puppet version: 3.0.0rc3 Keywords: password user mac mountain lion os x Branch: https://github.com/glarizza/puppet-1/tree/bug/master/12833_OSX_PBKDF2_UPDATE Setting users passwords is broke in 10.8 due to the fact that Apple moved to PBKDF2 passwords in 10.8: <pre> Garys-Mac:~ glarizza$ sudo puppet resource user glarizza Password: /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:379:in `get_password': undefined method `string' for nil:NilClass (NoMethodError) from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:199:in `generate_attribute_hash' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:235:in `single_report' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:76:in `instances' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `collect' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:889:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `collect' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `instances' from /Library/Ruby/Site/1.8/puppet/indirector/resource/ral.rb:4:in `find' from /Library/Ruby/Site/1.8/puppet/indirector/indirection.rb:196:in `find' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:222:in `find_or_save_resources' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:144:in `main' from /Library/Ruby/Site/1.8/puppet/application.rb:317:in `run_command' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:413:in `hook' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:404:in `exit_on_fail' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/util/command_line.rb:69:in `execute' from /usr/bin/puppet:4 </pre> It's from this code (line 379 in lib/puppet/provider/nameservice/directoryservice.rb): <pre> password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] </pre> So, I'm trying to update Puppet to be able to handle/change the user's password in 10.8 and I notice that the methodology I need to access/generate/change it has changed from 10.7 to 10.8. Since our product uses Ruby, I'll be displaying the steps in Ruby. In 10.7 I used this methodology to access the password: <pre> require 'facter/util/plist' users_plist = Plist::parse_xml(`plutil -convert xml1 -o /dev/stdout /var/db/dslocal/nodes/Default/users/brit_xml.plist`) password_hash_plist = users_plist['ShadowHashData'][0].string IO.popen('plutil -convert xml1 -o - -', mode='r+') do |io| io.write password_hash_plist io.close_write @converted_plist = io.read end converted_hash_plist = Plist::parse_xml(@converted_plist) password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] puts password_hash </pre> This is all well and good since the value of converted_hash_plist['SALTED-SHA512'] was a StringIO object containing the binary version of the salted sha512 password. In 10.8, all of the steps are the same up to a point - it seems the value of converted_hash_plist is different: <pre> >> pp converted_hash_plist {"SALTED-SHA512-PBKDF2"=> {"salt"=>#<StringIO:0x10f31e498>, "entropy"=>#<StringIO:0x10f31e998>, "iterations"=>15174}} => nil </pre> Indeed, this looks like a 128 byte PBKDF2 password (since the value of converted_hash_plist['SALTED-SHA512-PBKDF2']['entropy'].string.unpack('H*').first is 256 characters). This makes sense since it looks like Apple has dabbled in PBKDF2 before http://people.cis.ksu.edu/~sakthi/src/data/filevault_sakthi.pdf. Ruby does have a PBKDF2 gem (https://github.com/emerose/pbkdf2-ruby), but of course there's no built-in method to handle passwords in this fashion. Basically, the format has changed. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
