saltstack/salt
1
0
Fork 0
mirror of https://github.com/saltstack/salt.git synced 2025-04-17 10:10:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Merge pull request #47147 from eliasp/2018.3-issue-45939-shadow-hash-salt

Browse source 
states.user.present: Make usage of `hash_password` idempotent
This commit is contained in:
Nicole Thomas 2018-06-30 09:29:27 -04:00 committed by GitHub
commit 9b364e25cf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 20 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
salt/states/user.py
View file

@ -445,7 +445,26 @@ def present(name,
# hash_password is True, then hash it.
if password and hash_password:
log.debug('Hashing a clear text password')
password = __salt__['shadow.gen_password'](password)
# in case a password is already set, it will contain a Salt
# which should be re-used to generate the new hash, other-
# wise the Salt will be generated randomly, causing the
# hash to change each time and thereby making the
# user.present state non-idempotent.
algorithms = {
'1': 'md5',
'2a': 'blowfish',
'5': 'sha256',
'6': 'sha512',
}
try:
_, algo, shadow_salt, shadow_hash = __salt__['shadow.info'](name)['passwd'].split('$', 4)
if algo == '1':
log.warning('Using MD5 for hashing passwords is considered insecure!')
log.debug('Re-using existing shadow salt for hashing password using {}'.format(algorithms.get(algo)))
password = __salt__['shadow.gen_password'](password, crypt_salt=shadow_salt, algorithm=algorithms.get(algo))
except ValueError:
log.info('No existing shadow salt found, defaulting to a randomly generated new one')
password = __salt__['shadow.gen_password'](password)
if fullname is not None:
fullname = sdecode(fullname)