Manage the shadow file on Linux systems
Important
If you feel that Salt should be using this module to manage passwords on a minion, and it is using a different module (or gives an error similar to 'shadow.info' is not available), see here.
salt.modules.linux_shadow.
default_hash
()¶Returns the default hash used for unset passwords
CLI Example:
salt '*' shadow.default_hash
salt.modules.linux_shadow.
del_password
(name, root=None)¶New in version 2014.7.0.
Delete the password from name user
User to delete
Directory to chroot into
CLI Example:
salt '*' shadow.del_password username
salt.modules.linux_shadow.
gen_password
(password, crypt_salt=None, algorithm='sha512')¶New in version 2014.7.0.
Generate hashed password
Note
When called this function is called directly via remote-execution, the password argument may be displayed in the system's process list. This may be a security risk on certain systems.
Plaintext password to be hashed.
Crpytographic salt. If not given, a random 8-character salt will be generated.
The following hash algorithms are supported:
md5
blowfish (not in mainline glibc, only available in distros that add it)
sha256
sha512 (default)
CLI Example:
salt '*' shadow.gen_password 'I_am_password'
salt '*' shadow.gen_password 'I_am_password' crypt_salt='I_am_salt' algorithm=sha256
salt.modules.linux_shadow.
info
(name, root=None)¶Return information for the specified user
User to get the information for
Directory to chroot into
CLI Example:
salt '*' shadow.info root
salt.modules.linux_shadow.
list_users
(root=None)¶New in version 2018.3.0.
Return a list of all shadow users
Directory to chroot into
CLI Example:
salt '*' shadow.list_users
salt.modules.linux_shadow.
lock_password
(name, root=None)¶New in version 2016.11.0.
Lock the password from specified user
User to lock
Directory to chroot into
CLI Example:
salt '*' shadow.lock_password username
salt.modules.linux_shadow.
set_date
(name, date, root=None)¶Sets the value for the date the password was last changed to days since the epoch (January 1, 1970). See man chage.
User to modify
Date the password was last changed
Directory to chroot into
CLI Example:
salt '*' shadow.set_date username 0
salt.modules.linux_shadow.
set_expire
(name, expire, root=None)¶Changed in version 2014.7.0.
Sets the value for the date the account expires as days since the epoch (January 1, 1970). Using a value of -1 will clear expiration. See man chage.
User to modify
Date the account expires
Directory to chroot into
CLI Example:
salt '*' shadow.set_expire username -1
salt.modules.linux_shadow.
set_inactdays
(name, inactdays, root=None)¶Set the number of days of inactivity after a password has expired before the account is locked. See man chage.
User to modify
Set password inactive after this number of days
Directory to chroot into
CLI Example:
salt '*' shadow.set_inactdays username 7
salt.modules.linux_shadow.
set_maxdays
(name, maxdays, root=None)¶Set the maximum number of days during which a password is valid. See man chage.
User to modify
Maximum number of days during which a password is valid
Directory to chroot into
CLI Example:
salt '*' shadow.set_maxdays username 90
salt.modules.linux_shadow.
set_mindays
(name, mindays, root=None)¶Set the minimum number of days between password changes. See man chage.
User to modify
Minimum number of days between password changes
Directory to chroot into
CLI Example:
salt '*' shadow.set_mindays username 7
salt.modules.linux_shadow.
set_password
(name, password, use_usermod=False, root=None)¶Set the password for a named user. The password must be a properly defined hash. The password hash can be generated with this command:
python -c "import crypt; print crypt.crypt('password',
'\$6\$SALTsalt')"
SALTsalt
is the 8-character crpytographic salt. Valid characters in the
salt are .
, /
, and any alphanumeric character.
Keep in mind that the $6 represents a sha512 hash, if your OS is using a different hashing algorithm this needs to be changed accordingly
User to set the password
Password already hashed
Use usermod command to better compatibility
Directory to chroot into
CLI Example:
salt '*' shadow.set_password root '$1$UYCIxa628.9qXjpQCjM4a..'
salt.modules.linux_shadow.
set_warndays
(name, warndays, root=None)¶Set the number of days of warning before a password change is required. See man chage.
User to modify
Number of days of warning before a password change is required
Directory to chroot into
CLI Example:
salt '*' shadow.set_warndays username 7
salt.modules.linux_shadow.
unlock_password
(name, root=None)¶New in version 2016.11.0.
Unlock the password from name user
User to unlock
Directory to chroot into
CLI Example:
salt '*' shadow.unlock_password username