Logical issue with creating users with passwords and updating passwords for users on Linux
moritzheiber opened this issue · comments
Currently, I believe there is a logical issue with the way passwords are treated for users that are created using the user
resource:
The :create
action needs the password
parameter to be in plain text, since it's passed verbatim to useradd
by the run_specinfra
call. However, on subsequent runs, the password
parameter is expected to be the encrypted password, since the code is using the :get_encrypted_password
call for run_specinfra
and the :update_encrypted_password
call to re-set it if they don't match.
Therefore you end up with an unusable states on subsequent runs when the user
resource is being used to set a password with the same data supplied to the run.
My proposition would be either of these two scenarios:
- Accept the
password
parameter for theuser
resource to be plain text only and use appropriate hashing mechanisms to encrypt it on the fly (with proper detection for the algorithm being used). I wouldn't prefer this since it's less secure, and it's also a lot of assumptions and potentially unportable code. - Accept the
password
parameter for theuser
resource to only be a validshadow
hashed entry. There are tons of hash validation libraries out there, with the most common even built-into Ruby itself. This would also be more secure than having to specify a plain text password for a run, and it's also comparable to what Chef does.
It cannot be both, it needs to be a single value, and it should be the secure alternative.