Provide authentication using local files
New in version 2018.3.0.
The file auth module allows simple authentication via local files. Different filetypes are supported, including:
Text files, with passwords in plaintext or hashed
Apache-style htpasswd files
Apache-style htdigest files
Note
The python-passlib
library is required when using a ^filetype
of
htpasswd
or htdigest
.
The simplest example is a plaintext file with usernames and passwords:
external_auth:
file:
^filename: /etc/insecure-user-list.txt
gene:
- .*
dean:
- test.*
In this example the /etc/insecure-user-list.txt
file would be formatted
as so:
dean:goneFishing
gene:OceanMan
^filename
is the only required parameter. Any parameter that begins with
a ^
is passed directly to the underlying file authentication function
via kwargs
, with the leading ^
being stripped.
The text file option is configurable to work with legacy formats:
external_auth:
file:
^filename: /etc/legacy_users.txt
^filetype: text
^hashtype: md5
^username_field: 2
^password_field: 3
^field_separator: '|'
trey:
- .*
This would authenticate users against a file of the following format:
46|trey|16a0034f90b06bf3c5982ed8ac41aab4
555|mike|b6e02a4d2cb2a6ef0669e79be6fd02e4
2001|page|14fce21db306a43d3b680da1a527847a
8888|jon|c4e94ba906578ccf494d71f45795c6cb
Note
The hashutil.digest
execution
function is used for comparing hashed passwords, so any algorithm
supported by that function will work.
There is also support for Apache-style htpasswd
and htdigest
files:
external_auth:
file:
^filename: /var/www/html/.htusers
^filetype: htpasswd
cory:
- .*
When using htdigest
the ^realm
must be set:
external_auth:
file:
^filename: /var/www/html/.htdigest
^filetype: htdigest
^realm: MySecureRealm
cory:
- .*
salt.auth.file.
auth
(username, password)¶File based authentication
The path to the file to use for authentication.
The type of file: text
, htpasswd
, htdigest
.
Default: text
The realm required by htdigest authentication.
Note
The following parameters are only used with the text
filetype.
The digest format of the password. Can be plaintext
or any digest
available via hashutil.digest
.
Default: plaintext
The character to use as a delimiter between fields in a text file.
Default: :
The numbered field in the text file that contains the username, with numbering beginning at 1 (one).
Default: 1
The numbered field in the text file that contains the password, with numbering beginning at 1 (one).
Default: 2