vagrantchef-infratest-kitchendatabags

Chef: How to set a user's password from an encrypted data bag


I am using Chef with kitchen (1.5.0) and vagrant (1.8.1) to manage a user consistently with a new server. My user recipe looks like this:

include_recipe "users"

group 'sudo'

password_secret = Chef::EncryptedDataBagItem.load_secret(node['enterprise_sp']['secret_file'])

jays_password = Chef::EncryptedDataBagItem.load('user_secrets','jgodse', password_secret)['password']
shadow_password = `openssl passwd -1 -salt xyz #{jays_password}`.strip

user 'jgodse' do
  action :create
  group 'sudo'
  system true
  shell '/bin/bash'
  home '/home/jgodse'
  manage_home true
  password shadow_password  #added to /etc/shadow when chef runs
end

The unencrypted data bag was where I configured my password in the clear. I then encrypted the data bag with a knife command.

This works, but this seems like a really dirty way around the problem of setting my password. I had to do that because the password directive of the user block only takes the shadow password, and that can only be generated by shelling out to an openssl command.

Is there a cleaner way of getting the shadow password without shelling out to an openssl command which generates the password?


Solution

  • You should not be storing the password at all, just hash it beforehand and put the hash in the data bag in the first place. Also using encrypted data bags like this is scary-level unsafe, please take some time to familiarize yourself with the threat model of Chef's encryption tools, this ain't it.