Just the other day in the #salt IRC channel we helped a user recover a system account by resetting the password using Salts remote execution system. He had accidentally locked himself out of the system and was looking for a way to regain access. Luckily, resetting a system account password with Salt is simple. This short article will demonstrate resetting a password using Salts remote execution system.
Salts remote execution system includes a shadow module for managing the /etc/shadow file (the file where password hashes are stored). Being able to remotely manipulate this file means you can centrally manage account access and passwords. First, an overview of the capabilities of the shadow module:
sudo salt '*' sys.doc shadow shadow.info: Return information for the specified user CLI Example:: salt '*' shadow.info root shadow.set_date: sets the value for the date the password was last changed to the epoch (January 1, 1970). See man chage. CLI Example:: salt '*' shadow.set_date username 0 shadow.set_inactdays: Set the number of days of inactivity after a password has expired before the account is locked. See man chage. CLI Example:: salt '*' shadow.set_inactdays username 7 shadow.set_maxdays: Set the maximum number of days during which a password is valid. See man chage. CLI Example:: salt '*' shadow.set_maxdays username 90 shadow.set_mindays: Set the minimum number of days between password changes. See man chage. CLI Example:: salt '*' shadow.set_mindays username 7 shadow.set_password: Set the password for a named user. The password must be a properly defined hash, the password hash can be generated with this command: ``python -c "import crypt, getpass, pwd; print crypt.crypt('password', '\$6\$SALTsalt\$')"`` Keep in mind that the $6 represents a sha512 hash, if your OS is using a different hashing algorithm this needs to be changed accordingly CLI Example:: salt '*' shadow.set_password root $1$UYCIxa628.9qXjpQCjM4a.. shadow.set_warndays: Set the number of days of warning before a password change is required. See man chage. CLI Example:: salt '*' shadow.set_warndays username 7
If you read through the above examples, you may have noticed the shadow.set_password option. This allows you to apply a password hash to a specified account, resetting the account password.
As you can see in the example above, to reset an account password simply target the minion(s) and use the shadow.set_password command:
sudo salt '*' shadow.set_password root '$1$UYCIxa628.9qXjpQCjM4a..'
The shadow module is a very powerful interface to managing system account access. You can manage passwords as well managing account expiration settings. If you ever find a system account locked out of a minion, the shadow module is a great way to reset account access.