Skip to content

(11293) Set/get passwords from OS X 10.7#306

Merged
jeffmccune merged 1 commit intopuppetlabs:2.7.xfrom
glarizza:bug/2.7.x/11293_users_osx
Jan 6, 2012
Merged

(11293) Set/get passwords from OS X 10.7#306
jeffmccune merged 1 commit intopuppetlabs:2.7.xfrom
glarizza:bug/2.7.x/11293_users_osx

Conversation

@glarizza
Copy link

@glarizza glarizza commented Jan 5, 2012

OS X version 10.7 implemented a new methodology for storing passwords. Every user now has a plist file in /var/db/dslocal/nodes/Default/users/.plist. This binary plist has a key called 'ShadowHashData' whose value is a binary plist. This nested binary plist in turn has a key called 'SALTED-SHA512' that contains a salted-SHA512 password hash stored in a base64 encoded string. To get/set the password, we need to access this string.

This series of commits implements the methodology for accessing and setting this salted-SHA512 password hash, and also implements spec tests to ensure that functionality isn't broken with future commits.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to take the situation where "10.10" is not less than "10.7" into account. I suspect there's already a version compare method somewhere in the code base, or if not it may be worth it to copy the logic of lib/puppet/parser/functions/versioncmp.rb into Puppet::Util.

% irb
1.8.7 :004 > "10.10" < "10.7"
=> true

@jeffmccune
Copy link
Contributor

This looks great. I think it's ready to go once we handle the 10.10 case.

Gary, I'm happy to merge this without a proper versioncmp() since this is so far off in the future. Take it from me though, people will be bugging you about this code for years to come... =)

@glarizza
Copy link
Author

glarizza commented Jan 5, 2012

I tested Puppet::Util::Package.versioncmp() out in IRB and it works as we need it. Updated the code and pushed a commit. Check it out and let me know!

@jeffmccune
Copy link
Contributor

Could you squash them before we merge them in?

A first attempt at accessing the user's password hash in 10.7 by
inspecting the user's plist in
/var/db/dslocal/nodes/Default/users/test.plist. This method requires
saving a binary plist to /tmp/username.plist in order to use plutil
-convert xml1 to convert it to xml (as Plist::parse_xml can only read
XML plists).

Use Puppet::Util::Package.versioncmp()

Because we're comparing OS X versions that are ultimately strings,
we need a method to catch the scenario where '10.10' < '10.7'.
Puppet::Util::Package.versioncmp() does this well, so we will use
it in favor of simple string comparison.
jeffmccune pushed a commit that referenced this pull request Jan 6, 2012
(11293) Set/get passwords from OS X 10.7
@jeffmccune jeffmccune merged commit f79bd37 into puppetlabs:2.7.x Jan 6, 2012
hlindberg pushed a commit to hlindberg/puppet that referenced this pull request Oct 16, 2014
Add 3.5 links on the front-page and old reference
melissa pushed a commit to melissa/puppet that referenced this pull request Mar 30, 2018
(PCP-235) Bring in the remainder of Ethan's acceptance improvements
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants