Salt: Documenation suggests use of md5 password

Created on 26 Jul 2018 · 6Comments · Source: saltstack/salt

Description of Issue/Question

The latest salt documentation for user states [0] suggests indirectly to use md5 for password hashes. In the section "password" it states that openssl passwd -1 can be used to create a has, however, checking the man pages for openssl password revealed that this uses md5 to hash the password.

This is confusing because the salt-minion/salt-master agent explicitly mention not to use md5 (with reason!):
Jul 26 08:21:03 server1117 salt-minion[6702]: [WARNING ] IMPORTANT: Do not use md5 hashing algorithm! Please set "hash_type" to SHA256 in Salt Minion config!

Fix

Suggest to use sha256 to hash password in the documentation. I can confirm that it is possible to use sha-256 hashes that can be generated using mkpasswd -m sha-256 <password>. Note that mkpasswd can be installed with the whois package.

Versions Report

Salt Version:
           Salt: 2015.8.8

Dependency Versions:
         Jinja2: 2.8
       M2Crypto: Not Installed
           Mako: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.2.0
         Python: 2.7.12 (default, Dec  4 2017, 14:50:18)
           RAET: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.1.4
           cffi: Not Installed
       cherrypy: 3.5.0
       dateutil: 2.4.2
          gitdb: 0.6.4
      gitpython: 1.0.1
          ioflo: Not Installed
        libgit2: Not Installed
        libnacl: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
         pygit2: Not Installed
   python-gnupg: Not Installed
          smmap: 0.9.0
        timelib: Not Installed

System Versions:
           dist: Ubuntu 16.04 xenial
        machine: x86_64
        release: 4.4.0-96-generic
         system: Ubuntu 16.04 xenial

[0] (https://docs.saltstack.com/en/latest/ref/states/all/salt.states.user.html)

Bug Documentation P3 fixed-pending-your-verification severity-medium

Source

nodermatt

All 6 comments

seems you have a solid grasp of the changes that need to be made, want to submit a PR? also great find :)

Ch3LL on 26 Jul 2018

@Ch3LL I'll be happy to make the changes and submit a PR in the next couple of days.

Thanks for the encouragement :)

nodermatt on 31 Jul 2018

🎉1

@nodermatt This should be fixed with #49482. How does that look to you now?

rallytime on 5 Sep 2018

@nodermatt ping? Can you confirm you're happy with the changes made by #49482?

MTecknology on 5 Oct 2018

@MTecknology @rallytime Pardon my absence!

Note that mkpasswd is not installed by default on some linux distributions. Some users might see the message after the first command below. Alterantively one can use sha256sum as well to hash a string. But many admins have their preferred sha256 tool so which one you use is not important in my point of view. The important thing was to get rid of the openssl -l command and that's what is done so =>All clear from my end.

$ mkpasswd -m sha-256 The program 'mkpasswd' is currently not installed. You can install it by typing: sudo apt install whois

echo test | sha256sum
f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 -

nodermatt on 10 Oct 2018

👍1

Thanks @nodermatt! I'll go ahead and close this then. :)

rallytime on 10 Oct 2018

Was this page helpful?

0 / 5 - 0 ratings

Related issues

file.managed appears to ignore source_hash check

icycle77 · 3Comments

Please create openSUSE Leap 15.1 repo

udf2457 · 3Comments

top.sls contains invalid yaml syntax, salt '*' state.highstate show "No Top file or external nodes data matches found"

commutecat · 3Comments

event-stream from salt api /events does not stop at session timeout

erwindon · 3Comments

salt 2017.7.3 grains metadata collection in AWS EC2 cause failure and nested iteration

layer3switch · 3Comments