salt.modules.linux_shadow

Manage the shadow file on Linux systems

Important

If you feel that Salt should be using this module to manage passwords on a minion, and it is using a different module (or gives an error similar to 'shadow.info' is not available), see here.

salt.modules.linux_shadow.default_hash()

Returns the default hash used for unset passwords

CLI Example:

salt '*' shadow.default_hash
salt.modules.linux_shadow.del_password(name, root=None)

New in version 2014.7.0.

Delete the password from name user

name

User to delete

root

Directory to chroot into

CLI Example:

salt '*' shadow.del_password username
salt.modules.linux_shadow.gen_password(password, crypt_salt=None, algorithm='sha512')

New in version 2014.7.0.

Generate hashed password

Note

When called this function is called directly via remote-execution, the password argument may be displayed in the system's process list. This may be a security risk on certain systems.

password

Plaintext password to be hashed.

crypt_salt

Crpytographic salt. If not given, a random 8-character salt will be generated.

algorithm

The following hash algorithms are supported:

  • md5

  • blowfish (not in mainline glibc, only available in distros that add it)

  • sha256

  • sha512 (default)

CLI Example:

salt '*' shadow.gen_password 'I_am_password'
salt '*' shadow.gen_password 'I_am_password' crypt_salt='I_am_salt' algorithm=sha256
salt.modules.linux_shadow.info(name, root=None)

Return information for the specified user

name

User to get the information for

root

Directory to chroot into

CLI Example:

salt '*' shadow.info root
salt.modules.linux_shadow.list_users(root=None)

New in version 2018.3.0.

Return a list of all shadow users

root

Directory to chroot into

CLI Example:

salt '*' shadow.list_users
salt.modules.linux_shadow.lock_password(name, root=None)

New in version 2016.11.0.

Lock the password from specified user

name

User to lock

root

Directory to chroot into

CLI Example:

salt '*' shadow.lock_password username
salt.modules.linux_shadow.set_date(name, date, root=None)

Sets the value for the date the password was last changed to days since the epoch (January 1, 1970). See man chage.

name

User to modify

date

Date the password was last changed

root

Directory to chroot into

CLI Example:

salt '*' shadow.set_date username 0
salt.modules.linux_shadow.set_expire(name, expire, root=None)

Changed in version 2014.7.0.

Sets the value for the date the account expires as days since the epoch (January 1, 1970). Using a value of -1 will clear expiration. See man chage.

name

User to modify

date

Date the account expires

root

Directory to chroot into

CLI Example:

salt '*' shadow.set_expire username -1
salt.modules.linux_shadow.set_inactdays(name, inactdays, root=None)

Set the number of days of inactivity after a password has expired before the account is locked. See man chage.

name

User to modify

inactdays

Set password inactive after this number of days

root

Directory to chroot into

CLI Example:

salt '*' shadow.set_inactdays username 7
salt.modules.linux_shadow.set_maxdays(name, maxdays, root=None)

Set the maximum number of days during which a password is valid. See man chage.

name

User to modify

maxdays

Maximum number of days during which a password is valid

root

Directory to chroot into

CLI Example:

salt '*' shadow.set_maxdays username 90
salt.modules.linux_shadow.set_mindays(name, mindays, root=None)

Set the minimum number of days between password changes. See man chage.

name

User to modify

mindays

Minimum number of days between password changes

root

Directory to chroot into

CLI Example:

salt '*' shadow.set_mindays username 7
salt.modules.linux_shadow.set_password(name, password, use_usermod=False, root=None)

Set the password for a named user. The password must be a properly defined hash. The password hash can be generated with this command:

python -c "import crypt; print crypt.crypt('password', '\$6\$SALTsalt')"

SALTsalt is the 8-character crpytographic salt. Valid characters in the salt are ., /, and any alphanumeric character.

Keep in mind that the $6 represents a sha512 hash, if your OS is using a different hashing algorithm this needs to be changed accordingly

name

User to set the password

password

Password already hashed

use_usermod

Use usermod command to better compatibility

root

Directory to chroot into

CLI Example:

salt '*' shadow.set_password root '$1$UYCIxa628.9qXjpQCjM4a..'
salt.modules.linux_shadow.set_warndays(name, warndays, root=None)

Set the number of days of warning before a password change is required. See man chage.

name

User to modify

warndays

Number of days of warning before a password change is required

root

Directory to chroot into

CLI Example:

salt '*' shadow.set_warndays username 7
salt.modules.linux_shadow.unlock_password(name, root=None)

New in version 2016.11.0.

Unlock the password from name user

name

User to unlock

root

Directory to chroot into

CLI Example:

salt '*' shadow.unlock_password username