Theresa Arzadon-Labajo

Adding Puppet user with no password

Posted by Theresa Arzadon-Labajo (tarzadon) on Mar 23 2011
Tech Stuff >> Unix-Linux

I am currently using Puppet 2.6.6

I needed to create a machine that had only one user on it, which automatically logged in.

Obviously, this would've been much faster if I created the user manually and edited the config files, but this was more of a working example of how puppet could be useful.

  • First, I needed to create my init.pp in my manifests directory started off like this:

            user { "visitor":
    comment => "Unauthenticated Visitor",
    ensure => "present",
    gid => "nobody",
    home => "/var/home/visitor",
    managehome => true,
    shell => "/bin/bash",
    uid => 4294967293,
    }

    I created a custom.conf file and put it in my module's files directory:

    # GDM configuration storage
    [daemon]
    AutomaticLoginEnable=true
    AutomaticLogin=visitor
    [security]
    [xdmcp]
    [greeter]
    [chooser]
    [debug]

    I restarted puppet and verified that auto-login worked. After leaving the machine idle for 5+ minutes, I realized that gdm wanted a password to unlock the screen. For some reason, I thought puppet assigned a user a blank password if one wasn't notified.

  • Puppet uses the hash as the value of the password, so I generated the hash using openssl. There are other ways to generate the hash. I just happened to pick this way.
    openssl passwd -1
    Password: *
    Verifying - Password: *
    $1$lU8491Lf$07pmQGDJNZKuRMc/VuRGG/

    The hashed * will tell /etc/shadow that there is no password set. I probably could've also used puppet to edit /etc/shadow and change whatever was there to an *, but this works as well.

    I added this to my user statement:

    password => '$1$lU8491Lf$07pmQGDJNZKuRMc/VuRGG/'

    The single quotes are needed so that puppet doesn't expand the $ signs and treat them as variables.

  • After the screen locked, I thought the blank password would get me back in, but it didn't.
    I could've created a group called nopasswdlogin, edited /etc/pam.d/gnome-screensaver and added:
    auth sufficient pam_succeed_if.so user ingroup nopasswdlogin
    But, I thought it would be easier to just disable screensaver locking.

  •         # disable lock on screensaver
    exec {"gdm_disable_lockscreen":
    command => "/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -s /apps/gnome-screensaver/lock_enabled -t bool false'",
    path => "/usr/bin:/bin",
    onlyif => "/usr/bin/test `/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -g /apps/gnome-screensaver/lock_enabled'` != 'false'"
    }


    There is also this setting, which I'm not sure if it's needed or not

            # disallows the user to lock the screen.
    exec {"gdm_lockdown_lockscreen":
    command => "/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -s /desktop/gnome/lockdown/disable_lock_screen -t bool true'",
    path => "/usr/bin:/bin",
    onlyif => "/usr/bin/test `/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -g /desktop/gnome/lockdown/disable_lock_screen'` != 'true'"
    }

    I restarted puppet and now the machine doesn't lock when the screensaver is activated.
  • But, now there is also the Lock Screen on the Menu and on the Panel. This also has to be disabled.

            # disable lock screen
    exec {"gdm_disable_lock":
    command => "/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -s /apps/panel/global/disable_lock_screen -t bool true'",
    path => "/usr/bin:/bin",
    onlyif => "/usr/bin/test `/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -g /apps/panel/global/disable_lock_screen'` != 'true'"
    }

    After restarting puppet, I verified that I can no longer Lock the Screen by clicking on the menu or on the Lock icon on the Panel.

    However, it would be better for the user not to be able to see the Lock Screen in the menu at all:

            # prevents the user from accessing the "Lock Screen" panel button and menu entries.
    exec {"gdm_disable_lockmenu":
    command => "/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -s /apps/panel/global/disable_lock_screen -t bool true'",
    path => "/usr/bin:/bin",
    onlyif => "/usr/bin/test `/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -g /apps/panel/global/disable_lock_screen'` != 'true'"
    }
  • Now, I need to make sure the user doesn't negate all my efforts by changing the settings, so I enabled lockdown.

            # lock down changes
    # if enabled, prevents the users from modifying the panel altogether (though this may not apply to the individual applets in the panel).
    # Enabling/disabling this key requires a restart of the panel.
    exec {"gdm_lock_down_visitor":
    command => "/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -s /apps/panel/global/locked_down -t bool true'",
    path => "/usr/bin",
    onlyif => "/usr/bin/test `/bin/su visitor -s /bin/bash -c '/usr/bin/gconftool-2 -g /apps/panel/global/locked_down'` != 'true'"
    }

    exec {"gdm_lock_down":
    command => "/bin/su gdm -s /bin/bash -c '/usr/bin/gconftool-2 -s /apps/panel/global/locked_down -t bool true'",
    path => "/usr/bin",
    onlyif => "/usr/bin/test `/bin/su gdm -s /bin/bash -c '/usr/bin/gconftool-2 -g /apps/panel/global/locked_down'` != 'true'"
    }

    I'm not sure if I need to set locked_down for both gdm and visitor.

Last changed: Feb 27 2020 at 4:11 PM

Back