Generating puppet password hashes

      5 Comments on Generating puppet password hashes

Puppet needs user passwords in configuration files to be encrypted in the format the local system expects. For Linux and most unix-like system, that means, you have to put the sha1 sum of the password into the configuration file.

There are quite a few ways to generate those password hashes, e.g.

$ openssl passwd -1
  Password: 
  Verifying - Password: 
  $1$HTQx9U32$T6.lLkYxCp3F/nGc4DCYM/

You can then take the hash string and use it as password in a puppet configuration (e.g. http://docs.puppetlabs.com/references/stable/type.html#user)

user { 'root':
  ensure           => 'present',
  password         => '$1$HTQx9U32$T6.lLkYxCp3F/nGc4DCYM/',
}

Be sure to put the password in single quotes if it contains a dollar sign ($) to ensure that puppet does interpret those as variables.

Update:

MD5 hashes are not considered secure. In a production environment you most likely want to use a different hash function like SHA-512. To generate a SHA-512 hash, run

$ python -c 'import crypt; print crypt.crypt("password", "$6$salt")'

5 thoughts on “Generating puppet password hashes

  1. avatarJohn

    Thanks a lot, this came in very handy. Couldn’t figure out where to get the hash to setup in the puppet script.

  2. avatarMichiel

    That is default md5 hashes without a salt right? that does not seem very strong..

  3. avatarMichael Trojanek

    Funny how I blogged about nearly the same topic yesterday (obviously missed your post on my Google search).
    However, it may be worth noting that your Puppet installation may be missing the libshadow-library to modify your /etc/shadow if you cannot get password authentication to work even though it seems you’re doing everything right (did cost me quite some time to figure out).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.