Changing password hashes on FreeBSD with Puppet

February 17, 2011 by · 5 Comments 

I finally hacked together a Puppet recipe to update password hashes on FreeBSD!

Let me first say that I want to get native support for this to work like it should. According to this page: FreeBSD is missing something in the shadow libraries. I have added a note to that comment requesting someone add more info, so that we can tackle that problem.

On to the solution..

I have a custom function called `setupuser’ to manage users/groups/homedirs. I inherited this function from a coworker, so I am not sure if it is the best or right way. It did happen to make tackling the problem easy. Here is the custom function:

define setupuser($realname, $username, $password, $uid, $gid, $groups = false, $shell, $homedir) {

        group { "$username":
                ensure => present,
                gid => $gid

        user { "$username":
                require => Group[$username],
                ensure => present,
                password => $password,
                uid => $uid,
                gid => $gid,
                comment => "$realname",
                groups => $groups,
                home => "$homedir",
                shell => "$shell"

        file { "$homedir":
                require => User[$username],
                ensure => directory,
                owner => $username,
                group => $username,
                mode => 0700

        case $operatingsystem {
                freebsd: {
                        exec { "$username hash":
                                command => "echo '$password' | pw user mod $username -H 0",
                                unless => "grep -q '$username:$password:' /etc/master.passwd",
                                path => "/bin:/usr/sbin:/usr/bin",
                                require => User[$username],


For reference here is what a call to that function looks like:
(the hash has been modified of course)..

setupuser { "brd":
        realname => "Brad Davis",
        username => brd,
        password => '$1$fffffffffffffffffffffffffffffffffffff,
        uid => 2012,
        gid => 2012,
        groups => $admingroup,
        shell => $defaultshell,
        homedir => "/home/brd"

About brd


5 Responses to “Changing password hashes on FreeBSD with Puppet”
  1. Tim says:

    This will result in the (encrypted, at least) password being visible in the process list briefly. Not ideal?

  2. Uli says:

    Seconded. Please don’t go that way. You need to open the pipe in the process itself and send down the hast to pw(8). Using ‘echo foo|pw …’ will make it show up in ps(1) output amongst others. This is bad …

  3. brd says:

    That is correct. I am not terribly worried about that though. For my environment it was more important to get them under control first. Like I explained I still want to get this done the right way.

  4. brd says:

    Do you have a better idea than the path I am going down? (Opening communication with the Puppet project to see what we are lacking?)

  5. jgh says:

    This is great. I was doing something similar, but found it fell short for updating. Does just changing the password result in an updated password? uid? gid? home directory?

    Great tip!

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!