Issue #12833 has been updated by Jeff McCune.
bruce lysik wrote: > Ben Ford wrote: > > My client this week will be hit by this when we try to manage users > > tomorrow. I'm going to attempt to backport this tonight.... > > Can you submit this back port? Would love to have this fixed in 2.7.x Unfortunately we aren't making any additional releases of Puppet 2.7 except critical bugs and security fixes. At this point, a back-port of this change would almost certainly be turned away because it's not a critical bug. Bruce, is there something holding you back from upgrading to Puppet 3? If so, what is it? -Jeff ---------------------------------------- Bug #12833: Password property for User type is broke in OS X 10.8 https://projects.puppetlabs.com/issues/12833#change-83935 Author: Gary Larizza Status: Merged - Pending Release Priority: Normal Assignee: Category: OSX Target version: 3.0.2 Affected Puppet version: Keywords: password user mac mountain lion os x Branch: https://github.com/puppetlabs/puppet/pull/1306 Setting users passwords is broke in 10.8 due to the fact that Apple moved to PBKDF2 passwords in 10.8: <pre> Garys-Mac:~ glarizza$ sudo puppet resource user glarizza Password: /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:379:in `get_password': undefined method `string' for nil:NilClass (NoMethodError) from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:199:in `generate_attribute_hash' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:235:in `single_report' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:76:in `instances' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `collect' from /Library/Ruby/Site/1.8/puppet/provider/nameservice/directoryservice.rb:75:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:889:in `instances' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `collect' from /Library/Ruby/Site/1.8/puppet/type.rb:882:in `instances' from /Library/Ruby/Site/1.8/puppet/indirector/resource/ral.rb:4:in `find' from /Library/Ruby/Site/1.8/puppet/indirector/indirection.rb:196:in `find' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:222:in `find_or_save_resources' from /Library/Ruby/Site/1.8/puppet/application/resource.rb:144:in `main' from /Library/Ruby/Site/1.8/puppet/application.rb:317:in `run_command' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:413:in `hook' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/application.rb:404:in `exit_on_fail' from /Library/Ruby/Site/1.8/puppet/application.rb:309:in `run' from /Library/Ruby/Site/1.8/puppet/util/command_line.rb:69:in `execute' from /usr/bin/puppet:4 </pre> It's from this code (line 379 in lib/puppet/provider/nameservice/directoryservice.rb): <pre> password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] </pre> So, I'm trying to update Puppet to be able to handle/change the user's password in 10.8 and I notice that the methodology I need to access/generate/change it has changed from 10.7 to 10.8. Since our product uses Ruby, I'll be displaying the steps in Ruby. In 10.7 I used this methodology to access the password: <pre> require 'facter/util/plist' users_plist = Plist::parse_xml(`plutil -convert xml1 -o /dev/stdout /var/db/dslocal/nodes/Default/users/brit_xml.plist`) password_hash_plist = users_plist['ShadowHashData'][0].string IO.popen('plutil -convert xml1 -o - -', mode='r+') do |io| io.write password_hash_plist io.close_write @converted_plist = io.read end converted_hash_plist = Plist::parse_xml(@converted_plist) password_hash = converted_hash_plist['SALTED-SHA512'].string.unpack("H*")[0] puts password_hash </pre> This is all well and good since the value of converted_hash_plist['SALTED-SHA512'] was a StringIO object containing the binary version of the salted sha512 password. In 10.8, all of the steps are the same up to a point - it seems the value of converted_hash_plist is different: <pre> >> pp converted_hash_plist {"SALTED-SHA512-PBKDF2"=> {"salt"=>#<StringIO:0x10f31e498>, "entropy"=>#<StringIO:0x10f31e998>, "iterations"=>15174}} => nil </pre> Indeed, this looks like a 128 byte PBKDF2 password (since the value of converted_hash_plist['SALTED-SHA512-PBKDF2']['entropy'].string.unpack('H*').first is 256 characters). This makes sense since it looks like Apple has dabbled in PBKDF2 before http://people.cis.ksu.edu/~sakthi/src/data/filevault_sakthi.pdf. Ruby does have a PBKDF2 gem (https://github.com/emerose/pbkdf2-ruby), but of course there's no built-in method to handle passwords in this fashion. Basically, the format has changed. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
