Puppet needs user passwords in configuration files to be encrypted in the format the local system expects. For Linux and most unix-like system, that means, you have to put the sha1 sum of the password into the configuration file.
There are quite a few ways to generate those password hashes, e.g.
$ openssl passwd -1 Password: Verifying - Password: $1$HTQx9U32$T6.lLkYxCp3F/nGc4DCYM/
You can then take the hash string and use it as password in a puppet configuration (e.g. http://docs.puppetlabs.com/references/stable/type.html#user)
user { 'root': ensure => 'present', password => '$1$HTQx9U32$T6.lLkYxCp3F/nGc4DCYM/', }
Be sure to put the password in single quotes if it contains a dollar sign ($) to ensure that puppet does interpret those as variables.
Update:
MD5 hashes are not considered secure. In a production environment you most likely want to use a different hash function like SHA-512. To generate a SHA-512 hash, run
$ python -c 'import crypt; print crypt.crypt("password", "$6$salt")'
Thanks a lot, this came in very handy. Couldn’t figure out where to get the hash to setup in the puppet script.
That is default md5 hashes without a salt right? that does not seem very strong..
@Michiel
You’re right it’s MD5, which is not considered secure (the hash is salted though).
Funny how I blogged about nearly the same topic yesterday (obviously missed your post on my Google search).
However, it may be worth noting that your Puppet installation may be missing the libshadow-library to modify your /etc/shadow if you cannot get password authentication to work even though it seems you’re doing everything right (did cost me quite some time to figure out).
@Michael Trojanek
That might save a few people quite some time. Thanks for the comment!