2

I am having a hard time figuring out how to use chef to run a bash command (passwd)

I know how to set up the bash resource block but how do I set it up so that is will take the variable password = 'abc123'. The user I want to do it for is adminblah for this example.

bash 'analytics_password' do
  code <<-EOH
    sudo passwd adminblah
  EOH
end

I am not sure how to get the password variable into this.

  • 1
    Doing this is unsafe, please really don't do this. Anything that puts a cleartext password in command line options is a possible security problem. – coderanger May 23 '18 at 17:40
  • 1
    This is for a service that is local and not internet connected(VLAN with no internet access, 3 people have access to the system and only from certain devices and via ssh. It is for development. Security does not matter in this case unless there and another simple solution that require little effort needed to set up / switch to. –  May 23 '18 at 17:53
  • 1
    The easier solution would be to pre-generate the hashed password somewhere locally and then use a `user` resource and its `password` property to set that on the user. That removes the cleartext password from Chef entirely. – coderanger May 23 '18 at 17:56
  • 1
    @coderanger That is just adding extra work for nothing. What I was given here works (I think). Plus with no security risk it is pointless to care about if the password is plain text or not when there is a working option. Sometimes best practices aren't needed. It is like me giving you a computer and not putting a password on it because there is nothing installed, no programs,files ect. Then not having it connected to the internet or any network. Same level of risk I have for putting a password in plain text here. –  May 23 '18 at 18:01
  • It's adding work, sure, but do you really want everyone with access to the code repo to have access to every server using this cookbook? – Joe Block May 23 '18 at 23:30
  • @JoeBlock You seem to be mis-understanding this, there is no issues with everyone having access to it all. If there was issues with people have access to this then I would do the work to lock it down but it doesn't make sense to do that. This is a isolated network, with it's own git repo everything is stored in for this testing. No one but the main few will have access to it. If someone else did it would be with us at gun point. So yes best practice is great and all but if you have to waste time on it when you don't need to then it is a dumb idea. Plain and simple, waste of time and pointless –  May 24 '18 at 18:02

2 Answers2

1

There are a couple of ways you could achieve setting the user password. If you want to use the bash resource you could do this:

# Backslashes are escaped because of ruby
bash 'analytics_password' do
  code <<-EOH
    echo -e "#{password}\\n#{password}\\n" | passwd adminblah
  EOH
  sensitive true
end

The above echo replicates inputting then confirming the password if you ran this on the command line.

You could also look at using chpasswd instead (if available):

bash 'analytics_password' do
  code <<-EOH
    echo "adminblah:#{password}" | chpasswd
  EOH
  sensitive true
end

In both the above cases the sensitive property hides any potential output of the password in the Chef logs.

The best option would probably be looking at the user resource. This is a bit more complicated as you'll need to create a Password Shadow Hash (examples are provided in the link), but should be considered.

Brandon Miller
  • 4,695
  • 1
  • 20
  • 27
  • Thanks and can you explain why the double `#{password}`? –  May 23 '18 at 16:52
  • This echos the password, a newline, and the password again, then a newline. This replicates entering the password when prompted, pressing enter, then confirming the password when prompted and pressing enter. It's basically completing the inputs for you. – Brandon Miller May 23 '18 at 17:37
  • 2
    Just FYI, since you are playing with password, those resources should be marked as [sensitive](https://docs.chef.io/resource_common.html#properties). – Szymon May 24 '18 at 04:50
1

Somehow I found this annoyingly cumbersome...

Two options which came to my mind:

1. Pass pwd to the chpasswd which works as:

CHPASSWD(8)

NAME chpasswd - update passwords in batch mode

SYNOPSIS chpasswd [options]

DESCRIPTION The chpasswd command reads a list of user name and password pairs from standard input and uses this information to update a group of existing users. Each line is of the format:

   user_name:password

So, your chef recipe could look like:

password = 'my-secret-password'

bash 'analytics_password' do
  code <<-EOH
    sudo sh -c 'echo "adminblah:#{password}" | chpasswd'
  EOH
end

2. Use user resource

hash = `openssl passwd -1 -salt NCC #{password}`
hash = hash.gsub(/\n/, '')

user 'a user' do
  username 'adminblah'
  password hash.to_s
end

I hope that at least one of this methods will work :)

Best regards, Jarek

Jarek
  • 782
  • 5
  • 16