如何确定厨师“用户"的密码属性值?资源? [英] How do I determine the password attribute value for the Chef "user" resource?
问题描述
我正在尝试使用Chef 11创建一个用户帐户,并且不确定如何计算密码属性的值.我已经阅读了用户资源文档 http://docs.opscode.com/resource_user.html ,特别是密码阴影哈希",仍然不确定该怎么做.
I'm trying to create a user account using Chef 11, and am not sure how to calculate the password attribute's value. I've read the User Resource documentation http://docs.opscode.com/resource_user.html, specifically the section "Password Shadow Hash", and am still unsure what exactly to do.
正在Ubuntu系统上创建此用户,那么我是否使用他们提供的 openssl 示例并将该命令的输出作为 password 属性值传递? /p>
This user is being created on an Ubuntu system, so do I use the openssl example they provided and pass the output of that command as the password attribute value?
openssl passwd -1 "theplaintextpassword"
每次我运行命令时,输出都是不同的.它还支持各种选项(-crypt,-1,-apr1),那么我应该使用哪一个?
Each time I run the command, however, the output is different. It also supports various options (-crypt, -1, -apr1), so which one do I use?
我一直在查看unix passwd命令帮助,它说它加密该值,但没有指出它使用哪种方法.阴影和隐窝的帮助也不会消失.
I've been looking at the unix passwd command help, which says it encrypts the value but doesn't indicate which method it uses. Help for shadow and crypt aren't shedding any light either.
在此示例中,数据包过大,我有一个要用于此帐户的值,只是想使用password属性指定它.
For this example, data bags are overkill, I have a value I want to use for this account, and simply want to specify it using the password attribute.
这是用户资源部分:
user 'mytestuser' do
comment "Test User"
home "/home/mytestuser"
shell "/bin/bash"
supports :manage_home => true
password "what goes here?"
action :create
end
更新:
我已经确定您为 password 属性指定的字符串直接写入用户的/etc/shadow条目中.我想剩下的问题是确定该文件期望的值是什么,以及它与配置用户密码的关系.
I've determined that the string you specify for the password attribute gets written directly into the user's /etc/shadow entry. I guess the remaining issue is determining what that file expects the value to be, and how it relates to configuring the user's password.
推荐答案
关键是看到 password 属性值直接写入/etc/shadow文件.然后只需要阅读 shadow 和 crypt 的手册页,并最终(希望)了解如何将它们组合在一起.如果您对某些背景感兴趣,请参阅下面的血腥细节.
The key was seeing that the password attribute value is written directly to the /etc/shadow file. It was then a matter of reading the man pages for shadow and crypt and finally understanding (hopefully) how things fit together. See The Gory Details below, if you're interested in some background.
如果可以接受密码的MD5哈希,请使用 openssl 命令生成加密的字符串.我使用的版本似乎不支持SHA算法.使用 openssl passwd --help 来查看可用的选项.
If you're ok with an MD5 hash of the password, use the openssl command to generate the encrypted string. The version I'm using doesn't appear to support SHA algorithms. Use openssl passwd --help to see which options are available to you.
openssl passwd -1 -salt "yoursaltphrase"
Password: <enter the password>
$1$yoursalt$fIque2U6AZ.YRAqOu5Eyo/
现在在食谱的 password 属性中使用该字符串:
Now use that string in the recipe's password attribute:
user 'mytestuser' do
comment "Test User"
home "/home/mytestuser"
shell "/bin/bash"
supports :manage_home => true
password '$1$yoursalt$fIque2U6AZ.YRAqOu5Eyo/'
action :create
end
对我来说,我最终手动创建了测试用户,然后从/etc/shadow复制了其加密字符串,作为配方的 password 属性值.
As for me, I ended up creating the test user manually, and then copied its encryption string from /etc/shadow as the password attribute value for the recipe.
在/etc/shadow中, mytestuser:之后的第二个字段是加密密码.
From /etc/shadow, the second field after mytestuser: is the encrypted password.
mytestuser:THIS_IS_THE_FIELD_YOU_WANT:16063:0:99999:7:::
请参见人的影子和人的隐窝.
血腥细节
从手册页和各种用户论坛中整理东西,这就是我所学到的.请注意,这里的 encrypted 术语实际上是散列的,因为我不认为密码实际上可以解密.
Piecing things together from man pages and various user forums, here's what I've learned. Note that the term encrypted here actually means hashed, as I don't believe that passwords can actually be decrypted.
passwd 命令对用户的纯文本密码进行加密,并将其写入/etc/shadow.
The passwd command encrypts the user's plain-text password and writes it to /etc/shadow.
/etc/shadow条目包含多种格式之一的用户名和加密密码. "crypt"的手册页介绍了这些格式,请参见其注释"部分.
/etc/shadow entries contain the user name and the encrypted password in one of various formats. The man page for "crypt" describes these formats, see its NOTES section.
加密值的格式为:
$id$salt$encrypted
认为它有两个部分:盐和实际的加密密码.
Think of it as having two parts: a salt and the actual encrypted password.
盐部分由两部分组成:
- 一个可选的id前缀,用于标识所使用的加密算法,并以"$"作为前缀和后缀,例如"$ id $".
- 盐值,最多可以包含16个字符,并以"$"结尾,例如"saltvalue $".此值用于计算加密的密码.它是一个随机字符串,每次生成密码时都不同.
id可以是以下值之一,表示使用的加密算法:
The id can be one of the following, indicating the encryption algorithm used:
blank = DES (the default when no $id$ prefix is found)
1 = MD5
2a = Blowfish
5 = SHA-256
6 = SHA-512
已加密的密码长度是根据加密算法确定的:
The encrypted password length is fixed based on the encryption algorithm:
DES = 8 characters
MD5 = 22 characters
SHA-256 = 43 characters
SHA-512 = 86 characters
Blowfish = ???
您可以使用 openssl passwd 命令生成各种密码哈希. 它支持以下选项:
You can use the openssl passwd command to generate various password hashes. It supports the options:
-crypt DES-based standard Unix password algorithm (default)
-1 MD5-based password algorithm
-apr1 MD5-based password algorithm, Apache variant
-salt string use provided salt
这篇关于如何确定厨师“用户"的密码属性值?资源?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
