Michael Trojanek (relativkreativ) — Bootstrapper and creator of things

This article was published on May 27th 2014 and takes about 2 minutes to read.

Use it with caution — it is probably still valid, but it has not been updated for over a year.

Two common pitfalls when using hashed passwords with Puppet

You add a user in your puppet manifest, apply it to a server but you cannot login with this user because the password is incorrect even when there were no obvious problems.

Table of contents

  1. Pitfall 1: Using double quotes when specifying the password hash
  2. Pitfall 2: Missing the libshadow library

Adding a user to your Linux server with Puppet is one of the most basic tasks. To specify a password, you can either let Puppet hash it by using Puppet's built-in functions (don't do that - the password would be stored as plain text in your repository) or you can supply a hashed password "in whatever encrypted format the local system requires" (as Puppet's documentation states).

If you want to apply your manifest to a CentOS/RedHat- or Ubuntu/Debian-server, the encrypted format will probably be SHA1, so you can use OpenSSL to generate the hash:

[root@server ~]$ openssl passwd -1
Password: [mysecretpassword]
Verifying - Password: [mysecretpassword]
$1$9EGIYjL3$OFw9NSsHa.Wk0RwUHq4G31

Pitfall 1: Using double quotes when specifying the password hash

user {
  'myuser':
    ensure => present,
    password => "$1$9EGIYjL3$OFw9NSsHa.Wk0RwUHq4G31"
}

This won't work because Puppet will try to interpolate variables when you use double quotes (Puppet expects variables to start with a dollar sign) - so always use single quotes:

user {
  'myuser':
    ensure => present,
    password => '$1$9EGIYjL3$OFw9NSsHa.Wk0RwUHq4G31'
}

Pitfall 2: Missing the libshadow library

If your user still cannot authenticate with his password, your Puppet installation may be missing the libshadow library. Puppet needs this library to manipulate /etc/shadow where local passwords are stored. If it is missing, you will see that no password is set for your user:

[root@server ~] grep myuser /etc/shadow
myuser:!!:16154:0:99999:7:::

The two bangs tell you that no password has been set. To find out whether the missing library is the culprit, fire up a Ruby interpreter and ask Puppet:

[root@server ~] ruby -e "require 'puppet'; puts Puppet.features.libshadow?"
false

If this returns false, you have to install the library. Searching the interwebs reveals lots of tutorials on how to install it using your distribution's package manager but since you probably already use RubyGems, the easiest way is to just install the appropriate gem:

gem install ruby-shadow --no-ri --no-doc

The next time you apply your Puppet manifest, you should be all set.

Get in the loop

Join my email list to get new articles delivered straight to your inbox and discounts on my products.

No spam — guaranteed.

You can unsubscribe at any time.

Got it, thanks a lot!

Please check your emails for the confirmation request I just sent you. Once you clicked the link therein, you will no longer see these signup forms.

Michael Trojanek

Hörnesgasse 17/19
1030 Vienna
Austria

E-Mail
Twitter
Github

Michael Trojanek

Some words on privacy