Michael Trojanek (relativkreativ) — Bootstrapper and creator of things

This article was published on May 27th 2014 and takes about 2 minutes to read.

Use it with caution — it is probably still valid, but it has not been updated for over a year.

Two common pitfalls when using hashed passwords with Puppet

You add a user in your puppet manifest, apply it to a server but you cannot login with this user because the password is incorrect even when there were no obvious problems.

Adding a user to your Linux server with Puppet is one of the most basic tasks. To specify a password, you can either let Puppet hash it by using Puppet's built-in functions (don't do that - the password would be stored as plain text in your repository) or you can supply a hashed password "in whatever encrypted format the local system requires" (as Puppet's documentation states).

If you want to apply your manifest to a CentOS/RedHat- or Ubuntu/Debian-server, the encrypted format will probably be SHA1, so you can use OpenSSL to generate the hash:

[root@server ~]$ openssl passwd -1
Password: [mysecretpassword]
Verifying - Password: [mysecretpassword]
$1$9EGIYjL3$OFw9NSsHa.Wk0RwUHq4G31

Pitfall 1: Using double quotes when specifying the password hash

user {
  'myuser':
    ensure => present,
    password => "$1$9EGIYjL3$OFw9NSsHa.Wk0RwUHq4G31"
}

This won't work because Puppet will try to interpolate variables when you use double quotes (Puppet expects variables to start with a dollar sign) - so always use single quotes:

user {
  'myuser':
    ensure => present,
    password => '$1$9EGIYjL3$OFw9NSsHa.Wk0RwUHq4G31'
}

Pitfall 2: Missing the libshadow library

If your user still cannot authenticate with his password, your Puppet installation may be missing the libshadow library. Puppet needs this library to manipulate /etc/shadow where local passwords are stored. If it is missing, you will see that no password is set for your user:

[root@server ~] grep myuser /etc/shadow
myuser:!!:16154:0:99999:7:::

The two bangs tell you that no password has been set. To find out whether the missing library is the culprit, fire up a Ruby interpreter and ask Puppet:

[root@server ~] ruby -e "require 'puppet'; puts Puppet.features.libshadow?"
false

If this returns false, you have to install the library. Searching the interwebs reveals lots of tutorials on how to install it using your distribution's package manager but since you probably already use RubyGems, the easiest way is to just install the appropriate gem:

gem install ruby-shadow --no-ri --no-doc

The next time you apply your Puppet manifest, you should be all set.

Expand your DevOps skills!

Join hundreds of Rails developers and operators on my email list and get my ebook Build Your Own Rails Server as a free welcome gift.

No spam — guaranteed. You can leave at any time.