Keep your minions happy with tips from Into The Salt Mine

Reset a system password with SaltStack

Just the other day in the #salt IRC channel we helped a user recover a system account by resetting the password using Salts remote execution system. He had accidentally locked himself out of the system and was looking for a way to regain access. Luckily, resetting a system account password with Salt is simple. This short article will demonstrate resetting a password using Salts remote execution system.

shadow module

Salts remote execution system includes a shadow module for managing the /etc/shadow file (the file where password hashes are stored). Being able to remotely manipulate this file means you can centrally manage account access and passwords. First, an overview of the capabilities of the shadow module:

sudo salt '*' sys.doc shadow

    Return information for the specified user

    CLI Example::

        salt '*' root


    sets the value for the date the password was last changed to the epoch
    (January 1, 1970). See man chage.

    CLI Example::

        salt '*' shadow.set_date username 0


    Set the number of days of inactivity after a password has expired before
    the account is locked. See man chage.

    CLI Example::

        salt '*' shadow.set_inactdays username 7


    Set the maximum number of days during which a password is valid.
    See man chage.

    CLI Example::

        salt '*' shadow.set_maxdays username 90


    Set the minimum number of days between password changes. See man chage.

    CLI Example::

        salt '*' shadow.set_mindays username 7


    Set the password for a named user. The password must be a properly defined
    hash, the password hash can be generated with this command:
    ``python -c "import crypt, getpass, pwd; print crypt.crypt('password', '\$6\$SALTsalt\$')"``
    Keep in mind that the $6 represents a sha512 hash, if your OS is using a
    different hashing algorithm this needs to be changed accordingly

    CLI Example::

        salt '*' shadow.set_password root $1$UYCIxa628.9qXjpQCjM4a..


    Set the number of days of warning before a password change is required.
    See man chage.

    CLI Example::

        salt '*' shadow.set_warndays username 7

If you read through the above examples, you may have noticed the shadow.set_password option. This allows you to apply a password hash to a specified account, resetting the account password.

As you can see in the example above, to reset an account password simply target the minion(s) and use the shadow.set_password command:

sudo salt '*' shadow.set_password root '$1$UYCIxa628.9qXjpQCjM4a..'


The shadow module is a very powerful interface to managing system account access. You can manage passwords as well managing account expiration settings. If you ever find a system account locked out of a minion, the shadow module is a great way to reset account access.

comments powered by Disqus