The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #11293

Password parameter for the User resource is broke in OS X version 10.7

Added by Gary Larizza almost 3 years ago. Updated over 2 years ago.

Status:ClosedStart date:12/08/2011
Priority:NormalDue date:
Assignee:Gary Larizza% Done:

0%

Category:OSX
Target version:2.7.10
Affected Puppet version:2.7.9 Branch:https://github.com/puppetlabs/puppet/pull/308
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This issue is currently not available for export. If you are experiencing the issue described below, please file a new ticket in JIRA. Once a new ticket has been created, please add a link to it that points back to this Redmine ticket.


Description

As of 10.7, OS X uses a SHA512 hash for their passwords. In the past, they used SHA1 hashes, which are supported with the user resource. As it stands right now, the password parameter is broken. Doing a sudo puppet resource user results in the following:

users root $ sudo puppet resource user demouser
user { 'demouser':
  ensure  => 'present',
  comment => 'Demo User',
  gid     => '20',
  home    => '/Users/demouser',
  shell   => '/bin/bash',
  uid     => '504',
}

Accessing the hash in 10.7 requires the following steps:

  • Grabbing the user’s plist file in /var/db/dslocal/nodes/Default/users/username.plist
  • Converting it to XML (since it’s a binary plist)

      plutil -convert xml1 username.plist
    
  • Inspecting the XML file, getting the data string from the ShadowHashData key, and base64-decoding it

      echo "Data from ShadowHashData Key" | base64 -d > ShadowHashData
    
  • The file we created in the previous step is ACTUALLY A BINARY PLIST that needs to be converted to XML

      plutil -convert xml1 ShadowHashData
    
  • In that XML file, there’s a key named SALTED-SHA512. Grab the data string from that key and base64-decode it

      echo "Data from SALTED-SHA512 Key" | base64 -d > hashfile
    
  • Finally, reveal the hash using the xxd tool (which I presume takes hex and converts to a string? Or vice versa?) and cutting the first portion (which should be the salt)

      xxd -p -c 256 hashfile | cut -c 9-
    

Because the password was stored as SHA1 in versions 10.4 – 10.6 and SHA512 in 10.7, there doesn’t seem to be a way that we can have a universal password attribute for the user resource (unless we store the password in plaintext, which is not ideal).


Related issues

Duplicated by Puppet - Bug #11580: Mac OS 10.7 Lion @user password: No such file or directo... Duplicate 12/27/2011

History

#1 Updated by Matthaus Owens almost 3 years ago

  • Status changed from Unreviewed to Accepted

#2 Updated by Gary Larizza over 2 years ago

  • Branch set to https://github.com/glarizza/puppet-1/tree/bug/2.7.x/11293_users_osx

#3 Updated by Gary Larizza over 2 years ago

  • Category set to OSX
  • Assignee set to Gary Larizza
  • Target version set to 2.7.x

Pull request at https://github.com/puppetlabs/puppet/pull/306 if anyone wants to test it out.

#4 Updated by Jeff McCune over 2 years ago

  • Target version changed from 2.7.x to 2.7.10
  • Affected Puppet version set to 2.7.9

#5 Updated by Jeff McCune over 2 years ago

  • Status changed from Accepted to Tests Insufficient

Reverted

Reverted this from 2.7.x to un-break the build.


commit c751e01802d6eb7eea3dbe600bee0784943b0a30
Author: Jeff McCune 
Date:   Thu Jan 5 17:25:25 2012 -0800

    Revert "Access user password hash in OS X 10.7"
    
    This reverts commit 11b8c5ad3fb99263c8484fecc767b69cd80d3156.
    
    This needs to be reverted because I missed the use of backticks (``),
    effectively %x{}, in the original pull request and this is causing a big
    problem for the CI tests on non Mac OS X systems that don't have plutil.
    
    Gary and I are going to re factor the pull request to make the command
    calls easier to mock out on non Mac OS X platforms.  We can't do this
    quickly tonight though.
    
    Updated information will be in ticket #11293

#6 Updated by Jeff McCune over 2 years ago

  • Status changed from Tests Insufficient to Merged - Pending Release

Mereged into 2.7.x

The new pull request https://github.com/puppetlabs/puppet/pull/308 with updated tests have been merged into 2.7.x as:


commit 63e31232c192d6d5ad86f2ea829d4605e069ec4e
Merge: 07da208 018f36d
Author: Jeff McCune 
Date:   Fri Jan 6 13:23:27 2012 -0800

    Merge branch 'bug/2.7.x/11293' into 2.7.x
    
    * bug/2.7.x/11293:
      (#11293) Add password get/set behavior for 10.7

#7 Updated by Jeff McCune over 2 years ago

  • Branch changed from https://github.com/glarizza/puppet-1/tree/bug/2.7.x/11293_users_osx to https://github.com/puppetlabs/puppet/pull/308

#8 Updated by Michael Stahnke over 2 years ago

  • Status changed from Merged - Pending Release to Closed

released in 2.7.10rc1

Also available in: Atom PDF