Skip to content

Use usermod(8) on OpenBSD to unbreak password management #294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
klemensn wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use usermod(8) on OpenBSD to unbreak password management #294

klemensn wants to merge 1 commit into from

Conversation

@klemensn
Copy link

@klemensn klemensn commented Jan 2, 2026

f1e77c2 "(PUP-3634) Hide password hash from process list for useradd"
introduced chpasswd -e which does not exist on OpenBSD, thus user
resources managing password would always fail:

Notice: Compiled catalog for atar in environment production in 0.02 seconds
rror: Could not set password on user[test]: No command chpasswd defined for provider openbsd
Error: /Stage[main]/Main/User[test]/password: change from [redacted] to [redacted] failed: Could not set password on user[test]: No command chpasswd defined for provider openbsd
Notice: Applied catalog in 0.01 seconds

Use https://man.openbsd.org/usermod.8#p instead:

Notice: Compiled catalog for atar in environment production in 0.01 seconds
Notice: /Stage[main]/Main/User[test]/password: changed [redacted] to [redacted]
Notice: Applied catalog in 0.21 seconds

password values now do show up briefly in the process list, but given
they must be encrypted in order to work, this does not seem critical.

@klemensn
Copy link
Author

klemensn commented Jan 2, 2026

This is a cleaner version of what is already committed to OpenBSD's openvox package: https://github.com/openbsd/ports/blob/e3c8d71c07071f2171821b5b2bfb6f1702ce3466/sysutils/ruby-openvox/8/patches/patch-lib_puppet_provider_user_useradd_rb

@bastelfreak bastelfreak added the bug Something isn't working label Jan 2, 2026
@klemensn
Use usermod(8) on OpenBSD to unbreak password management
372aa8f 
f1e77c2 "(PUP-3634) Hide password hash from process list for useradd"
introduced `chpasswd -e` which does not exist on OpenBSD, thus `user`
resources managing `password` would always fail:

```
Notice: Compiled catalog for atar in environment production in 0.02 seconds
rror: Could not set password on user[test]: No command chpasswd defined for provider openbsd
Error: /Stage[main]/Main/User[test]/password: change from [redacted] to [redacted] failed: Could not set password on user[test]: No command chpasswd defined for provider openbsd
Notice: Applied catalog in 0.01 seconds
```

Use https://man.openbsd.org/usermod.8#p instead:

```
Notice: Compiled catalog for atar in environment production in 0.01 seconds
Notice: /Stage[main]/Main/User[test]/password: changed [redacted] to [redacted]
Notice: Applied catalog in 0.21 seconds
```

`password` values now do show up briefly in the process list, but given
they must be encrypted in order to work, this does not seem critical.
@klemensn klemensn force-pushed the user-password-openbsd branch from bf7bb72 to 372aa8f Compare January 2, 2026 16:06
@klemensn
Copy link
Author

klemensn commented Jan 5, 2026

Linters are happy, tests used in CI seem broken and report failures entirely unrelated to this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@klemensn @bastelfreak