-
-
Save UtahDave/3785738 to your computer and use it in GitHub Desktop.
| Here is a sample of how I am currently dealing with users. | |
| Big thanks to uggedal! I used his user states as an example: https://github.com/uggedal/states | |
| ### | |
| # How to create password hashes | |
| ### | |
| python -c "import crypt; print crypt.crypt('password', '\$6\$SALTsalt\$')" | |
| ### | |
| # top.sls in pillars | |
| ### | |
| base: | |
| '*': | |
| - groups | |
| - users | |
| ### | |
| # users.sls | |
| ### | |
| users: | |
| user1: | |
| fullname: Robert Hernandez | |
| uid: 5000 | |
| gid: 5000 | |
| shell: /bin/bash | |
| home: /home/user1 | |
| groups: | |
| - wheel | |
| - admin | |
| password: $6$SALTsalt$UiZikbV3VeeBPsg8./Q5DAfq9aj7CVZMDU6ffBiBLgUEpxv7LMXKbcZ9JSZnYDrZQftdG319XkbLVMvWcF/Vr/ | |
| enforce_password: True | |
| key.pub: True | |
| user2: | |
| fullname: Joe Smith | |
| uid: 5031 | |
| gid: 5031 | |
| shell: /bin/bash | |
| home: /home/user2 | |
| password: $6$SALTsalt$UiZikbV3VeeBPsg8./Q5DAfq9aj7CVZMDU6ffBiBLgUEpxv7LMXKbcZ9JSZnYDrZQftdG319XkbLVMvWcF/Vr/ | |
| groups: | |
| - admin | |
| key.pub: True | |
| ### | |
| # groups.sls | |
| ### | |
| groups: | |
| admin: | |
| gid: 6010 | |
| ### | |
| # top.sls in states | |
| ### | |
| base: | |
| "*": | |
| - groups | |
| - users | |
| ### | |
| # groups.sls | |
| ### | |
| {% for group, args in pillar['groups'].iteritems() %} | |
| {{ group }}: | |
| group.present: | |
| - name: {{ group }} | |
| {% if 'gid' in args %} | |
| - gid: {{ args['gid'] }} | |
| {% endif %} | |
| {% endfor %} | |
| ### | |
| # users.sls | |
| ### | |
| {% for user, args in pillar['users'].iteritems() %} | |
| {{ user }}: | |
| group.present: | |
| - gid: {{ args['gid'] }} | |
| user.present: | |
| - home: {{ args['home'] }} | |
| - shell: {{ args['shell'] }} | |
| - uid: {{ args['uid'] }} | |
| - gid: {{ args['gid'] }} | |
| {% if 'password' in args %} | |
| - password: {{ args['password'] }} | |
| {% if 'enforce_password' in args %} | |
| - enforce_password: {{ args['enforce_password'] }} | |
| {% endif %} | |
| {% endif %} | |
| - fullname: {{ args['fullname'] }} | |
| {% if 'groups' in args %} | |
| - groups: {{ args['groups'] }} | |
| {% endif %} | |
| - require: | |
| - group: {{ user }} | |
| {% if 'key.pub' in args and args['key.pub'] == True %} | |
| {{ user }}_key.pub: | |
| ssh_auth: | |
| - present | |
| - user: {{ user }} | |
| - source: salt://users/{{ user }}/keys/key.pub | |
| {% endif %} | |
| {% endfor %} |
Is there a way to create just a user and make his primary group to be an already existing group? I've been hacking away on this for the past few hours but can't seem to get it done. The state creates a group with a name based on the username.
EDIT: I seem to have figured that out:
{% for user, args in pillar['users'].iteritems() %}
{{ user }}:
user.present:
- home: {{ args['home'] }}
- shell: {{ args['shell'] }}
- uid: {{ args['uid'] }}
- gid: {{ args['gid'] }}
{% if 'password' in args %}
- password: {{ args['password'] }}
{% if 'enforce_password' in args %}
- enforce_password: {{ args['enforce_password'] }}
{% endif %}
{% endif %}
- fullname: {{ args['fullname'] }}
{% if 'groups' in args %}
- groups: {{ args['groups'] }}
{% endif %}
{% if 'key.pub' in args and args['key.pub'] == True %}
{{ user }}_key.pub:
ssh_auth:
- present
- user: {{ user }}
- source: salt://users/{{ user }}/keys/key.pub
{% endif %}
{% endfor %}
Very informative example, Thank you.
I am facing some issues, I am working on multiple CM tools and all worked fine for me in Puppet and Chef. Recently doing POC on salt and stuck at password level. Though all worked fine but I am unable to use the password for login (infact /etc/shadow is also empty at password field). Could someone have a look:
[root@salt users]# cat /srv/salt/top.sls
base:
'':
- users
[root@salt users]# cat /srv/salt/users/init.sls
{% for user, args in pillar.get('users', {}).items() %}
{{user}}:
user.present:
- uid: {{ args['uid'] }}
{% if 'shell' in args %}
- shell: {{ args['shell'] }}
{% if 'passwd' in args %}
- passwd: {{ args['passwd'] }}
{% endif %}
{% endif %}
{% endfor %}
[root@salt users]# cat /srv/pillar/top.sls
base:
'':
- users
[root@salt users]# cat /srv/pillar/users/init.sls
users:
test10:
uid: 3333
shell: /sbin/nologin
test11:
uid: 3334
passwd: '$6$somesalt!$3UQn7wIuHJUkfawfTqftXADbm88MhnV/hYIcDStmcVTEzWyO4ovUe9bYcpL1Nl5ae1wagxAJEqfTMyf1dsMGA1'
test12:
uid: 3335
[root@salt users]#
PS: I tried with multiple password options, nothing worked for me.
Regards,
Yogesh Raheja
@yogeshraheja I think you want password, not passwd.
Also be aware that there is hash_password, which is false by default. hash_password: False means that password is already hashed, but hash_password: True means that password is stored in plaintext and must be hashed by the underlying module.
@utahdav Thanks for this sharing, It really saved my day :)
Commenting because this is one of top results on Google for 'saltstack generate password hash'. Note that the one-liner above is for Python >= 3.3 and will generate a salted hash using SHA512.
According to the documentation, Python's crypt() is an interface to OS's crypt() function. Also:
If
saltis not specified or isNone, the strongestavailable method will be selected and a salt generated. Otherwise,
saltmay be one of thecrypt.METHOD_*values, or a string asreturned by
crypt.mksalt().So, simply executing
python3.4 -c "import crypt; print(crypt.crypt('password'))"
will generate a salted hash of 'password', using the strongest method available to the current OS. Which beats the script that is restricted to Linux only (why? there are others that work just fine), provided Python >= 3.3 is available. The script works on Python < 3.3 though.