The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #11293

Password parameter for the User resource is broke in OS X version 10.7

Added by Gary Larizza almost 4 years ago. Updated almost 4 years ago.

Status:ClosedStart date:12/08/2011
Priority:NormalDue date:
Assignee:Gary Larizza% Done:


Target version:2.7.10
Affected Puppet version:2.7.9 Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


As of 10.7, OS X uses a SHA512 hash for their passwords. In the past, they used SHA1 hashes, which are supported with the user resource. As it stands right now, the password parameter is broken. Doing a sudo puppet resource user results in the following:

users root $ sudo puppet resource user demouser
user { 'demouser':
  ensure  => 'present',
  comment => 'Demo User',
  gid     => '20',
  home    => '/Users/demouser',
  shell   => '/bin/bash',
  uid     => '504',

Accessing the hash in 10.7 requires the following steps:

  • Grabbing the user’s plist file in /var/db/dslocal/nodes/Default/users/username.plist
  • Converting it to XML (since it’s a binary plist)

      plutil -convert xml1 username.plist
  • Inspecting the XML file, getting the data string from the ShadowHashData key, and base64-decoding it

      echo "Data from ShadowHashData Key" | base64 -d > ShadowHashData
  • The file we created in the previous step is ACTUALLY A BINARY PLIST that needs to be converted to XML

      plutil -convert xml1 ShadowHashData
  • In that XML file, there’s a key named SALTED-SHA512. Grab the data string from that key and base64-decode it

      echo "Data from SALTED-SHA512 Key" | base64 -d > hashfile
  • Finally, reveal the hash using the xxd tool (which I presume takes hex and converts to a string? Or vice versa?) and cutting the first portion (which should be the salt)

      xxd -p -c 256 hashfile | cut -c 9-

Because the password was stored as SHA1 in versions 10.4 – 10.6 and SHA512 in 10.7, there doesn’t seem to be a way that we can have a universal password attribute for the user resource (unless we store the password in plaintext, which is not ideal).

Related issues

Duplicated by Puppet - Bug #11580: Mac OS 10.7 Lion @user password: No such file or directo... Duplicate 12/27/2011


#1 Updated by Matthaus Owens almost 4 years ago

  • Status changed from Unreviewed to Accepted

#2 Updated by Gary Larizza almost 4 years ago

  • Branch set to

#3 Updated by Gary Larizza almost 4 years ago

  • Category set to OSX
  • Assignee set to Gary Larizza
  • Target version set to 2.7.x

Pull request at if anyone wants to test it out.

#4 Updated by Anonymous almost 4 years ago

  • Target version changed from 2.7.x to 2.7.10
  • Affected Puppet version set to 2.7.9

#5 Updated by Anonymous almost 4 years ago

  • Status changed from Accepted to Tests Insufficient


Reverted this from 2.7.x to un-break the build.

commit c751e01802d6eb7eea3dbe600bee0784943b0a30
Author: Jeff McCune 
Date:   Thu Jan 5 17:25:25 2012 -0800

    Revert "Access user password hash in OS X 10.7"
    This reverts commit 11b8c5ad3fb99263c8484fecc767b69cd80d3156.
    This needs to be reverted because I missed the use of backticks (``),
    effectively %x{}, in the original pull request and this is causing a big
    problem for the CI tests on non Mac OS X systems that don't have plutil.
    Gary and I are going to re factor the pull request to make the command
    calls easier to mock out on non Mac OS X platforms.  We can't do this
    quickly tonight though.
    Updated information will be in ticket #11293

#6 Updated by Anonymous almost 4 years ago

  • Status changed from Tests Insufficient to Merged - Pending Release

Mereged into 2.7.x

The new pull request with updated tests have been merged into 2.7.x as:

commit 63e31232c192d6d5ad86f2ea829d4605e069ec4e
Merge: 07da208 018f36d
Author: Jeff McCune 
Date:   Fri Jan 6 13:23:27 2012 -0800

    Merge branch 'bug/2.7.x/11293' into 2.7.x
    * bug/2.7.x/11293:
      (#11293) Add password get/set behavior for 10.7

#7 Updated by Anonymous almost 4 years ago

  • Branch changed from to

#8 Updated by Michael Stahnke almost 4 years ago

  • Status changed from Merged - Pending Release to Closed

released in 2.7.10rc1

Also available in: Atom PDF