0

I am using Chef with kitchen (1.5.0) and vagrant (1.8.1) to manage a user consistently with a new server. My user recipe looks like this:

include_recipe "users"

group 'sudo'

password_secret = Chef::EncryptedDataBagItem.load_secret(node['enterprise_sp']['secret_file'])

jays_password = Chef::EncryptedDataBagItem.load('user_secrets','jgodse', password_secret)['password']
shadow_password = `openssl passwd -1 -salt xyz #{jays_password}`.strip

user 'jgodse' do
  action :create
  group 'sudo'
  system true
  shell '/bin/bash'
  home '/home/jgodse'
  manage_home true
  password shadow_password  #added to /etc/shadow when chef runs
end

The unencrypted data bag was where I configured my password in the clear. I then encrypted the data bag with a knife command.

This works, but this seems like a really dirty way around the problem of setting my password. I had to do that because the password directive of the user block only takes the shadow password, and that can only be generated by shelling out to an openssl command.

Is there a cleaner way of getting the shadow password without shelling out to an openssl command which generates the password?

StephenKing
  • 36,187
  • 11
  • 83
  • 112
Jay Godse
  • 15,163
  • 16
  • 84
  • 131

2 Answers2

3

You should not be storing the password at all, just hash it beforehand and put the hash in the data bag in the first place. Also using encrypted data bags like this is scary-level unsafe, please take some time to familiarize yourself with the threat model of Chef's encryption tools, this ain't it.

coderanger
  • 52,400
  • 4
  • 52
  • 75
  • Disabling SSH password access, and disabling root access, and using SSH keys exclusively is the most secure solution. For those needing a password on the system after SSH-ing in using keys, manually generating and schlepping the password is the most reasonable solution. – Jay Godse Apr 18 '16 at 18:51
  • 1
    Also that, the only place passwords would be used anymore is with sudo, but I don't actually recommend that as the security improvements as minimal. – coderanger Apr 18 '16 at 19:06
  • Sudo is exactly why I needed the password in the first place. – Jay Godse Apr 18 '16 at 20:59
  • Just use NOPASSWD. If someone gets access to an SSH key, MitMing a sudo password is embarrassingly easy. So easy I wouldn't bother with it. – coderanger Apr 18 '16 at 22:53
3

At least pre-calculate the password hash and put that into the data bag.

See https://github.com/chef-cookbooks/users for inspiration.

Roland
  • 1,426
  • 9
  • 9