Knife Vsphere Password Plain text

Question

I'm using the knife-vsphere plugin for chef to interact with our vsphere hosts.

As part of the config for the knife-vsphere plugin it seems that you have to enter a plain text password which I think seems wrong.

When I set up the users within my recipe I've previously ran the passwords through openssl passwd -1 "plainTextPassword" to get the hash value and I set this as i'm creating the user, i'm not sure where this happens if it's on the node or if it's in knife.

Does anyone know if you can use the same hash method (or something else) to store my password locally to let me login to vsphere or do I have to leave it as plain text?

My current knife rb file is represented below:

log_level                :info
log_location             STDOUT
node_name                'a-user'
client_key               'C:/Users/user/.chef/a-user.pem'
validation_client_name   'chef-validator'
validation_key           'C:/Users/user/.chef/chef-validator.pem'
chef_server_url          'https://ourChefHost01:443'
syntax_check_cache_path  'C:/Users/user/.chef/syntax_check_cache'
cookbook_path [ 'C:/Work/chef/chef-repo/cookbooks' ]
ssl_verify_mode :verify_peer
knife[:vsphere_host]="VHost"
knife[:vsphere_user]="User"
knife[:vsphere_pass]="IWantThisToBeAHashIfPossiblePlease_ThanksInAdvance!"
knife[:vsphere_dc]="Region_1"
knife[:vsphere_insecure]=false

I know.... i'm still a newb... – daark Dec 16 '14 at 16:53 — daark, Dec 16 '14 at 16:53

score 0 · Accepted Answer · answered Dec 19 '14 at 21:21

You cannot hash a password in order to later use that hash to login, as you cannot retrieve the original value (hashing is a one-way function). The thing you are searching for is encryption.

As the knife.rb is just a ruby file, you can also read the password from an environment variable (that you have to set once after starting the terminal session):

knife[:vsphere_user]="User"
knife[:vsphere_pass]=ENV['VSPHERE_PASS']

This will read the VSPHERE_PASS variable that you should have set with

export VSPHERE_PASS=mypassword

To my knowledge from using chef, there's no other way to store it encrypted on your machine (I mean.. Chef would still have to be able to decrypt it).

Perfect! I just felt it was a bad idea to have it lying around in a plain text file, thank you! — daark, Dec 22 '14 at 09:43

Knife Vsphere Password Plain text

1 Answers1