如何确定Chef“user”资源的密码属性值?
[英]How do I determine the password attribute value for the Chef “user” resource?
问题描述
I'm trying to create a user account using Chef 11, and am not sure how to calculate the password attribute's value. 
我正在尝试使用Chef 11创建用户帐户,但我不确定如何计算密码属性的值。 I've read the User Resource documentation http://docs.opscode.com/resource_user.html , specifically the section "Password Shadow Hash", and am still unsure what exactly to do. 我已经阅读了用户资源文档http://docs.opscode.com/resource_user.html ,特别是“密码阴影哈希”部分,我仍然不确定究竟要做什么。
This user is being created on an Ubuntu system, so do I use the openssl example they provided and pass the output of that command as the password attribute value? 这个用户是在Ubuntu系统上创建的,所以我是否使用他们提供的openssl示例并将该命令的输出作为密码属性值传递?
openssl passwd -1 "theplaintextpassword"
Each time I run the command, however, the output is different. 但是,每次运行命令时,输出都不同。 It also supports various options (-crypt, -1, -apr1), so which one do I use? 它还支持各种选项(-crypt,-1,-apr1),我应该使用哪一个?
I've been looking at the unix passwd command help, which says it encrypts the value but doesn't indicate which method it uses. 我一直在查看unix passwd命令帮助,它说它加密了值但没有指出它使用的是哪种方法。 Help for shadow and crypt aren't shedding any light either. 阴影和地穴的帮助也没有任何消失。
For this example, data bags are overkill, I have a value I want to use for this account, and simply want to specify it using the password attribute. 对于这个例子,数据包是过度的,我有一个我想用于此帐户的值,只是想使用密码属性指定它。
Here's the user resource section: 这是用户资源部分:
user 'mytestuser' do
comment "Test User"
home "/home/mytestuser"
shell "/bin/bash"
supports :manage_home => true
password "what goes here?"
action :create
end
Update: 更新:
I've determined that the string you specify for the password attribute gets written directly into the user's /etc/shadow entry. 我已经确定您为password属性指定的字符串会直接写入用户的/ etc / shadow条目。 I guess the remaining issue is determining what that file expects the value to be, and how it relates to configuring the user's password. 我想剩下的问题是确定该文件期望值是什么,以及它与配置用户密码的关系。
1 个解决方案
解决方案1
18 已采纳 2014-03-13 23:38:28
The key was seeing that the password attribute value is written directly to the /etc/shadow file. 关键是看到密码属性值直接写入/ etc / shadow文件。 It was then a matter of reading the man pages for shadow and crypt and finally understanding (hopefully) how things fit together. 然后是阅读阴影和地穴的手册页,最后理解(希望)事物如何融合在一起的问题。 See The Gory Details below, if you're interested in some background. 如果您对某些背景感兴趣,请参阅下面的血腥细节 。
If you're ok with an MD5 hash of the password, use the openssl command to generate the encrypted string. 如果您对密码的MD5哈希没问题,请使用openssl命令生成加密字符串。 The version I'm using doesn't appear to support SHA algorithms. 我正在使用的版本似乎不支持SHA算法。 Use openssl passwd --help to see which options are available to you. 使用openssl passwd --help查看可用的选项。
openssl passwd -1 -salt "yoursaltphrase"
Password: <enter the password>
$1$yoursalt$fIque2U6AZ.YRAqOu5Eyo/
Now use that string in the recipe's password attribute: 现在在配方的密码属性中使用该字符串:
user 'mytestuser' do
comment "Test User"
home "/home/mytestuser"
shell "/bin/bash"
supports :manage_home => true
password '$1$yoursalt$fIque2U6AZ.YRAqOu5Eyo/'
action :create
end
As for me, I ended up creating the test user manually, and then copied its encryption string from /etc/shadow as the password attribute value for the recipe. 至于我,我最终手动创建测试用户,然后从/ etc / shadow复制其加密字符串作为配方的密码属性值。
From /etc/shadow, the second field after mytestuser: is the encrypted password. 从/ etc / shadow, mytestuser:后面的第二个字段是加密密码。
mytestuser:THIS_IS_THE_FIELD_YOU_WANT:16063:0:99999:7:::
See man shadow and man crypt . 见男人的影子和男人的地穴 。
The Gory Details 血腥细节
Piecing things together from man pages and various user forums, here's what I've learned. 从手册页和各种用户论坛拼凑起来,这就是我所学到的。 Note that the term encrypted here actually means hashed , as I don't believe that passwords can actually be decrypted. 请注意,这里加密一词实际上意味着哈希 ,因为我不相信密码实际上可以被解密。
The passwd command encrypts the user's plain-text password and writes it to /etc/shadow. passwd命令加密用户的纯文本密码并将其写入/ etc / shadow。
/etc/shadow entries contain the user name and the encrypted password in one of various formats. / etc / shadow条目包含各种格式之一的用户名和加密密码。 The man page for "crypt" describes these formats, see its NOTES section. “crypt”的手册页描述了这些格式,请参阅其NOTES部分。
The encrypted value has the format: 加密值的格式为:
$id$salt$encrypted
Think of it as having two parts: a salt and the actual encrypted password. 可以把它想象成两部分:盐和实际的加密密码。
The salt portion consists of two pieces: 盐部分由两部分组成:
- An optional id prefix, which identifies the encryption algorithm used and has "$" as a prefix and suffix, eg "$id$". 一个可选的id前缀,用于标识所使用的加密算法,并以“$”作为前缀和后缀,例如“$ id $”。
- The salt value, which can be up to 16 characters and is terminated with a "$", eg "saltvalue$". salt值,最多16个字符,以“$”结尾,例如“saltvalue $”。 This value is used to calculate the encrypted password. 该值用于计算加密密码。 It is a random string, and is different every time a password is generated. 它是一个随机字符串,每次生成密码时都不同。
The id can be one of the following, indicating the encryption algorithm used: id可以是以下之一,表示使用的加密算法:
blank = DES (the default when no $id$ prefix is found)
1 = MD5
2a = Blowfish
5 = SHA-256
6 = SHA-512
The encrypted password length is fixed based on the encryption algorithm: 加密密码长度根据加密算法确定:
DES = 8 characters
MD5 = 22 characters
SHA-256 = 43 characters
SHA-512 = 86 characters
Blowfish = ???
You can use the openssl passwd command to generate various password hashes. 您可以使用openssl passwd命令生成各种密码哈希值。 It supports the options: 它支持以下选项:
-crypt DES-based standard Unix password algorithm (default)
-1 MD5-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-salt string use provided salt
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.