This module handles login accounts on the system. It has two classes that can be included. These are generally included high in the toplevel hierarchy.

Classes

All of these classes can be required. However, the user creation occurs in the users stage, and this is generally the part that is needed.

users::global

This sets up some global (/etc) defaults for user configuration, e.g. PATH.

users::root

This sets up the root user (or, on Windows, Administrator). This provides the following easy-to-use variables, per bug 776641:

• $users::root::username
• $users::root::group
• $users::root::home

users::builder

Installs the builder user (cltbld for releng, although this can be adjusted in manifests/settings.pp). This provides the following easy-to-use variables, per bug 776641:

• $users::root::username
• $users::root::group
• $users::root::home

This class also sets up the builder user's dotfiles appropriately, including SSH configuration, and performs some basic cleanup.

users::builder::autologin

If included, this class will arrange for the builder user to automatically login to a GUI sesssion at boot.

Secrets

Each role user has a set of representations of its password, for different uses. The users are "root", "signer", and "builder", and the uses are below. The name of the secret joins the two with an underscore, e.g., "builder_pw_paddedsha1". See ReleaseEngineering/PuppetAgain/Secrets for info on how secrets are managed in PuppetAgain.

*_pw_hash

linux md5 password hash for the root password (No Default) (where to find)

*_pw_pbkdf2

Mac OS X 10.8 entropy for the root password (No Default) (where to find)

*_pw_pbkdf2_salt

Mac OS X 10.8 salt for the root password (No Default) (where to find)

*_pw_pbkdf2_iterations

Mac OS X 10.8 iterations for the root password (No Default) (where to find)

*_pw_paddedsha1

Mac OS X 10.6 password hash(No Default) (where to find)

*_pw_saltedsha512

Mac OS X 10.7 password hash(No Default) (where to find)

Additionally, the builder user has two versions of its VNC password:

builder_pw_kcpassword_base64

kcpassword-obfuscated cleartext of the builder user's password, for autologin on Darwin (No Default) (where to find)

builder_pw_vnc_base64

base64-encoded version of the password that should appear in ~/.vnc/passwd on Linux

Implementation

Windows

Windows passwords are set in cleartext: *_pw_cleartext.

The VNC password is hashed for UltraVNC, and named builder_pw_vnc_ultravnc.

Linux

Puppet supports user management on Linux with no difficulty, via the user provider. Password hashes are most easily created by using 'passwd' on a temporary host, then copying the password hash from /etc/shadow.

The linux VNC password is set with vncpasswd

Darwin

On Mac OS X, user management is much more complex, and works differently on different versions.

10.6 (Snow Leopard)

In snow leopard, a "paddedsha1" is stored in /var/db/shadow/hash/$UID. You can find the user's UID with

 sudo defaults read /var/db/dslocal/nodes/Default/users/$username

Copy all of the 0's into the password.

10.7 (Lion)

Authentication on Lion requires a single salted sha512 password. You can generate such hashes with setup/lion-password-hash.rb, which prompts for a password and outputs the hash. Stick that into the *_pw_saltedsha512 secrets, and you're good to go.

10.8 (Mountain Lion)

NOTE: no released version of Puppet supported setting passwords on Mountain Lion when we deployed it. PuppetAgain includes a darwinuser type and a CustomDirectoryService provider for that type, both based on the work of Gary Larizza in #12833. What is eventually available in Puppet proper should closely resemble this implementation.

Authentication on Mountain Lion takes place based on three pieces of information: iterations, salt, and password (called 'entropy' by OS X). You can get this information for an existing user with setup/mtnlion-user-info.rb:

 sudo ruby mtnlion-user-info.rb %user%

and then add it to the secrets for your installation.

If you want to retrieve the information for the root account, you may have to enable the root user first.

10.9 (Mavericks)

Seems to be the same as Mountain Lion, but see http://projects.puppetlabs.com/issues/22107

Automatic Login

Automatic login on OS X is controlled in two places:

• /Library/Preferences/com.apple.loginwindow key autoLoginUser sets the username to be used to log in
• /etc/kcpassword contains a lightly obfuscated cleartext password for that user.

There's a handy implementation of the obfuscation algorithm at http://www.brock-family.org/gavin/perl/kcpassword.html, but the easier solution is just to set up automatic login through the GUI, and then copy the file.

Note that kcpassword is binary data. It is given in binhex in secrets.csv. The easiest way to get its contents is:

talos-mtnlion-r5-082:~ root# base64 < /etc/kcpassword