Issue #12833 has been updated by Jeff McCune.
# Request for comment >This bug fix will be released with Puppet 3.0.2. > >Merged into master as 960ab6b and 3.0.x as 94e2032. There are two commits >because I had to rebase 3.0.x after a non-fast-forward conflict occured in >3.0.x and not master. We've decided to merge this into 3.0 and not earlier versions of Puppet, because the solution required a pretty massive overhaul of the directory service provider. If you're affected by this issue, could you please let me know if _not_ having this fix available in the 2.7 minor release will severely negatively impact you or your organization. We're trying to understand if we're going to hurt anyone by not including this fix in the 2.7 series and if we are, what recourse we have. If there are no comments, we're going to proceed as planned and fix this in Puppet 3.0.2 and later versions, but not 2.7. Thanks, -Jeff ---------------------------------------- Bug #12833: Password property for User type is broke in OS X 10.8 https://projects.puppetlabs.com/issues/12833#change-76273 Author: Gary Larizza Status: Merged - Pending Release Priority: Normal Assignee: Category: OSX Target version: 3.0.2 Affected Puppet version: Keywords: password user mac mountain lion os x Branch: https://github.com/puppetlabs/puppet/pull/1266 Setting users passwords is broke in 10.8 due to the fact that Apple moved to PBKDF2 passwords in 10.8: <pre> Garys-Mac:~ glarizza$ sudo puppet resource user glarizza Password: /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:379:in `get_password': undefined method `string' for nil:NilClass (NoMethodError) from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:199:in `generate_attribute_hash' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:235:in `single_report' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:76:in `instances' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `collect' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:889:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `collect' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `instances' from /Library/Ruby/Site/1.8/puppet/indirector/resource/ral.rb:4:in `find' from /Library/Ruby/Site/1.8/puppet/indirector/indirection.rb:196:in `find' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:222:in `find_or_save_resources' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:144:in `main' from /Library/Ruby/Site/1.8/puppet/application.rb:317:in `run_command' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:413:in `hook' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:404:in `exit_on_fail' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/util/command_line.rb:69:in `execute' from /usr/bin/puppet:4 </pre> It's from this code (line 379 in lib/puppet/provider/nameservice/directoryservice.rb): <pre> password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] </pre> So, I'm trying to update Puppet to be able to handle/change the user's password in 10.8 and I notice that the methodology I need to access/generate/change it has changed from 10.7 to 10.8. Since our product uses Ruby, I'll be displaying the steps in Ruby. In 10.7 I used this methodology to access the password: <pre> require 'facter/util/plist' users_plist = Plist::parse_xml(`plutil -convert xml1 -o /dev/stdout /var/db/dslocal/nodes/Default/users/brit_xml.plist`) password_hash_plist = users_plist['ShadowHashData'][0].string IO.popen('plutil -convert xml1 -o - -', mode='r+') do |io| io.write password_hash_plist io.close_write @converted_plist = io.read end converted_hash_plist = Plist::parse_xml(@converted_plist) password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] puts password_hash </pre> This is all well and good since the value of converted_hash_plist['SALTED-SHA512'] was a StringIO object containing the binary version of the salted sha512 password. In 10.8, all of the steps are the same up to a point - it seems the value of converted_hash_plist is different: <pre> >> pp converted_hash_plist {"SALTED-SHA512-PBKDF2"=> {"salt"=>#<StringIO:0x10f31e498>, "entropy"=>#<StringIO:0x10f31e998>, "iterations"=>15174}} => nil </pre> Indeed, this looks like a 128 byte PBKDF2 password (since the value of converted_hash_plist['SALTED-SHA512-PBKDF2']['entropy'].string.unpack('H*').first is 256 characters). This makes sense since it looks like Apple has dabbled in PBKDF2 before http://people.cis.ksu.edu/~sakthi/src/data/filevault_sakthi.pdf. Ruby does have a PBKDF2 gem (https://github.com/emerose/pbkdf2-ruby), but of course there's no built-in method to handle passwords in this fashion. Basically, the format has changed. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
