I'm using the user cookbook, which is working fine for all other user accounts.
I'm able to populate the root user's authorized_keys file with the keys listed in the data bag, however the password is remaining unset.
Here's the contents of my data bag (data_bags/users/root.json) for the root user:
{
"id": "root",
"uid": 0,
"home": "/root",
"home_dir_mode": "0700",
"password": "shadowpasswordhash",
"ssh_keys": [
"ssh-rsa averylongkey"
],
"ssh_keygen": false
}
It could be a bug in that cookbook.
I'd use the "official" community cookbook (http://community.opscode.com/cookbooks/users) maintained by Seth Vargo rather than that one.
For the record, I successfully use the standard user resource to manage the root user password. Given the sensitivity, it might be better to handle the root account separately from other user accounts.
For example, you can use the built-in user resource set the root password like this:
password_hash = ...
user "Setting root password" do
username 'root'
password password_hash
action :modify
end
Setting an SSH key entails making sure that the /root/.ssh/ directory exists, and has the correct permissions, and then creating /root/.ssh/authorized_keys containing the public key and with the correct permissions. Something like this:
public_key = ...
directory "/root/.ssh" do
owner "root"
mode 0700
end
file "/root/.ssh/authorized_keys" do
owner "root"
mode "600"
content public_key
end
In order to set the shadow passwords of users, you need to have the ruby-shadow gem available to chef (which is not installed by default). This is documented on the default user resource of which the linked cookbook is merely a wrapper.
In order to install the gem, just add this to a recipe which is included in the runlist before you setup the users:
chef_gem "ruby-shadow"
