Puppet: Set the User's Password

A few months ago, I published a post about using Puppet to manage infrastructure. As my company grows, I’m finding it more important to ensure that all of my servers are managed in a sane manner. To me, this includes ensuring that if one of my servers ever goes down, or the data center it’s in gets smashed by a meteor, I could theoretically be back up and running just by migrating to another data center.

At the end of that first post, I had created a couple of Linodes and installed Puppet on them. I had also created a user and group on the slave node. But…I couldn’t login to the slave node as the user I’d created, because it didn’t have a password!

Since I’m going to be updating my user today, I’ll include my original user definition below.

user { "mike":
	ensure     => present,
	gid        => 'mike',
	groups     => [ 'sudo', 'users' ],
	shell      => '/usr/bin/fish',
	home       => '/home/mike',
	managehome => true,

Set the Password

It turns out that setting the password for a Puppet user isn’t that hard.

First, use openssl to create the hashed/salted password on a commandline:

[root@puppetslave ~]$ openssl passwd -1
Password: <enter password here>
Verifying - Password: <enter the same password here>

Then take the output (the last line) and stick it in the site.pp file on the master node. Thus, my user definition on my puppetmaster now looks like this:

user { "mike":
	ensure     => present,
	gid        => 'mike',
	groups     => [ 'sudo', 'users' ],
	shell      => '/usr/bin/fish',
	home       => '/home/mike',
	managehome => true,
	password   => '$1$qH8newGR$4nApEG7NQHqLHYNLIEZlx0',

Note: since the hashed and salted password value contains $ symbols, it’s important to enclose the value in single quotes, not double quotes. If you use double quotes, the Ruby system underlying Puppet will attempt to interpolate the things following the dollar signs as variables…And your user’s password won’t work.

In order to update the user definition on the slave, run the puppet agent manually (because I turned off auto-updating last time):

[root@puppetslave ~]$ puppet agent --test
Info: Retrieving plugin
Info: Caching catalog for puppetslave.mavelo.us
Info: Applying configuration version '1433418208'
Notice: /Stage[main]/Main/Node[default]/User[mike]/password: changed password
Notice: Finished catalog run in 0.23 seconds

I can now login to my puppetslave’s mike user using the password I entered on the openssl commandline above:

mvitale@mavelous ~/W/M/P/blog (master)> ssh mike@puppetslave.mavelo.us
mike@puppetslave.mavelo.us's password: 
Welcome to Ubuntu 14.04.2 LTS (GNU/Linux 4.0.4-x86_64-linode57 x86_64)

 * Documentation:  https://help.ubuntu.com/

63 packages can be updated.
24 updates are security updates.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
mike@puppetslave ~> 

(Note: for those of you following along at home, last time I installed tcsh as my shell. In the interim, I’ve changed that so that I’m now using fish as my shell, which matches what I use on my Mac laptop. However, as you can see, it’s not configured very well yet.)

Darn It

I had wanted to include setting up SSH keys in this post, but I’m out of time for this morning. Gotta run to work. I’ll follow up soon (sooner than last time, I promise!) with how I accomplished that feat.