lib_local_user_management.cf

# Get the latest version of this library: https://raw.github.com/nickanderson/nickanderson-cfengine-library/master/lib_local_user_management.cf
# General Usage Guidelines
# all of the bundels in this library adhear to the same variable declaration
# format so as to be easily used together.
# 
# Note on password hashes:
# this perl oneliner should generate valid hashed passwords, replace MYPASSWORD
# with your password. Be sure your system supports whatever encryption method
# you choose.
# 
#  For sha512: perl -e '@letters = ("A".."Z", "a".."z", "0".."9", "/", "."); $salt = join("", map { $letters[rand@letters]; } (0..85)); print crypt("MYPASSWORD", q[$6$] . $salt) . "\n";'
#  For sha256: perl -e '@letters = ("A".."Z", "a".."z", "0".."9", "/", "."); $salt = join("", map { $letters[rand@letters]; } (0..42)); print crypt("MYPASSWORD", q[$5$] . $salt) . "\n";'
#  For md5:    perl -e '@letters = ("A".."Z", "a".."z", "0".."9", "/", "."); $salt = join("", map { $letters[rand@letters]; } (0..21)); print crypt("MYPASSWORD", q[$1$] . $salt) . "\n";'
# 
#   vars:
#       "users[testuser][gecos]"          string => "My Test User";
#       "users[testuser][uid]"            string => "1500";
#       "users[testuser][gid]"            string => "1500";
#       "users[testuser][home]"           string => "/home/cmdln/tmp/testuserhome";
#       "users[testuser][shell]"          string => "/sbin/nologin";
#       "users[testuser][passwdhash]"     string => "testhash";


bundle agent local_users_enforce_password (users) {
# This bundle enforces a specific hashed password to be set in /etc/shadow
# When the password is changed it also updates the 3rd filed (day last changed)
# Generate Hash: echo "mypassword" | makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }'
# Usage:
# vars:
#     users[root][passwdhash] string => "$1$EJrfeceC$9y4pFgc6x8p1Fcnfy1rus.";
# methods:
#     "any" usebundle => local_users_enforce_password('currentbundlename.users');
#
    vars:
        linux::
            "pwfile"        string  => "/etc/shadow";
            "usersindex"    slist   => getindices("$(users)");
            "days_since_epoch"
                string => execresult("/usr/bin/perl -le 'print int time/(60*60*24)'", "noshell"),
                comment => "Used for password aging, only needed if the users password is updated, otherwise dont waste time forking a process",
                ifvarclass => "set_$(usersindex)_password";


    files:
        linux::
            "$(pwfile)"
                comment     => "Ensure password is set as expected",
                edit_line   => set_user_field("$(usersindex)","2","$($(this.users)[$(this.usersindex)][passwdhash])"),
                classes     => if_repaired("set_$(usersindex)_password");

            "$(pwfile)"
                comment     => "Update date of last password change with todays date expressed in days since epoch if the password is updated",
                edit_line   => set_user_field("$(usersindex)","3","$(days_since_epoch)"),
                ifvarclass  => "set_$(usersindex)_password";

    reports:
        linux.verbose_mode::
            "$(usersindex) passwordhash in $(this.pwfile) set",
                ifvarclass => "set_$(usersindex)_password";
}