Ask Your Question
0

Puppet not changing user password

asked 2017-02-24 09:34:41 -0600

Davies gravatar image

updated 2017-02-24 15:52:37 -0600

When I commission a new Raspberry Pi, I want Puppet to change the password from the default. However, I do NOT want the password changed subsequently (update - attempted clarification. I want Puppet to change the password at commissioning time. After that, the user may change it, but Puppet must not change it back. And different machines have different rules) . I am therefore trying to create an external fact that is tested, with the code being executed only if the fact is false. I also have a hiera file for each machine that indicates whether this should be done in the first place.

My code (with salt & hashed password changed):

class pi_user::password {
  if hiera('pi_password_wanted') {
    unless $facts['pi_password_done'] {
      $host=$facts['hostname']
      notice "Adding pi password for ${host}"
      file { '/etc/facter/facts.d/pi_password_done.txt':
        ensure => 'present',
        content => 'pi_password_done=true
',
      }
      notice "Added password done file for ${host}"
      user { 'pi':
        password => '$6$salt$hash',
      }
      notice "Set password for ${host}"
    }
  }
}

Running this on the Pi gives:

root@pi245:/home/dr# rm /etc/facter/facts.d/pi_password_done.txt
root@pi245:/home/dr# puppet agent -t
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for pi245.lan.davies.systems
Info: Applying configuration version '1487948379'
Notice: /Stage[main]/Pi_user::Password/File[/etc/facter/facts.d/pi_password_done.txt]/ensure: defined content as '{md5}3e0303548baed7b48b699777a3825360'
Notice: Applied catalog in 4.76 seconds

And /var/log/syslog on the master contains:

Feb 24 14:59:39 puppet puppet-master[31892]: (Scope(Class[Pi_user::Password])) Adding pi password for pi245
Feb 24 14:59:39 puppet puppet-master[31892]: (Scope(Class[Pi_user::Password])) Added password done file for pi245
Feb 24 14:59:39 puppet puppet-master[31892]: (Scope(Class[Pi_user::Password])) Set password for pi245

The external fact file is created, but the password is not changed. /etc/shadow's time stamp does not change. I thought I had this working on 4.8.1, but the most recent download is 4.8.2. I get the same symptoms with both versions of Puppet master.

What should I look at, please?

TIA & regards,

John Davies

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
1

answered 2017-02-24 13:22:07 -0600

puser gravatar image

updated 2017-02-27 06:22:15 -0600

If you run

 user { 'pi':
   ensure      => present,
   password => 'whatever',
   uid => somenumber,
   gid => somenumber,
 }

This will only run once unless the password is not whatever. You don't need to do all the extra heavy lifting.

Edit. I understand what you are saying now. Pi has a default password, you want Puppet to make it a different default password. You also want users to be able to change the password but have Puppet not override it.

I would do this: 1. Create a custom fact called $hasdefaultpwd that runs on the Pi that checks the password, if it is the factory default password set the fact to true, if it is not the default password set it to false. Now create your manifest:

if ( $has_default_pwd ) {
    user { 'pi':
    ensure      => present,
    password    => $new_default_pwd,
    uid         => somenumber,
    gid         => somenumber,
  }
}

Since the user already exists with the factory default password you don't need an else statement.

This will run if the password does not equal to the factory default password, for any other password it will not run.

edit flag offensive delete link more

Comments

My heavy lifting is intended to ensure that the password is changed to my default from the download default only. If any later change has been made, I don't want to override it & put it back to my default. Perhaps I'm missing something, but I don't see how your code avoids that. Regards,

Davies gravatar imageDavies ( 2017-02-24 13:57:44 -0600 )edit

1. Pi is provisioned. 2. Puppet code above runs on Pi. 3. Password is changed from default to the custom fact you specified. 4. Puppet runs again, nothing happens to the password. After the initial change, puppet will not do anything to the password unless the password does not match the fact.

puser gravatar imagepuser ( 2017-02-27 06:14:02 -0600 )edit
0

answered 2017-02-24 16:13:17 -0600

Well, you can only achieve a one-time behavior utilizing a resource that provides an only-if-parameter like exec:

class password_reset {
  # 'admin'
  $_distributed_passwd_hash = @(EOT)
    $6$3VUy4L4B3QHBVVF$0IaE5rnXMXebcHrqj.fPSt3ZKj.GQGu5jxOCmvrce4TS2MloqWRLCuJP.uTZRwxvmhoAKgwKw7aZZ2xCcLGrk0
    |-EOT

  $_onlyif = @("EOT"/L)
    /usr/bin/getent shadow root | \
      /usr/bin/cut -d':' -f2 | \
      /bin/grep -x '${_distributed_passwd_hash}'
    |-EOT

  # 'toor'
  $_root_passwd_hash = @(EOT)
    $6$rYjY/Dad1L$uZyEvFaRxhZPuTsW54368lDd.aX/MLCDas0R/BWaewASUNvig2ZWPb/CnylvzBHbok7XPCz2/yjtjTP4kf6hr.
    |-EOT

  exec { 'unset_distributed_default_password':
    command  => "/bin/echo 'root:${_root_passwd_hash}' | /usr/sbin/chpasswd -e",
    provider => 'shell', # because of the pipe
    onlyif   => $_onlyif,
  }
}

From this point it shouldn't be far to include consideration of your hiera data.

However, I doubt that's the way you'd like to use puppet. I (try to) keep my puppet code free of any one-time resources. Puppet is a system configuration tool, not a system set-up tool. Have you considered directly patching the RasPi-image you're using? Maybe there's some pre-seeding done?

[disclaimer: I have not tested this]

edit flag offensive delete link more
0

answered 2017-02-24 20:30:22 -0600

lavaman gravatar image

I've done something similar in the past with sandbox instances where we need to give a default password that has to be changed on first login.

I do it with an exec that sets the initial password and has refreshonly set to true. This way, it is executed on the initial run, but not subsequent runs, since we don't have any resources that notify it.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-02-24 09:34:41 -0600

Seen: 273 times

Last updated: Feb 27