Originally published June 19, 2020 @ 1:23 pm

Recently I ran into a situation where hundreds of VMs recently built via OpenShift/Ansible automation were missing an important local user account used for security audits. While our automation guys were working on tracking down and fixing the build configuration, I needed to add the account manually.

Luckily for me, we also use SaltStack for ad-hoc tasks: a sort of SSH on steroids, if you will. Automation is great when it works right. When it doesn’t, things get screwed up on a massive scale and may require manual intervention.

So, step one was to generate the hash for the default password used by the missing account:

read -s p
# type your password here and hit enter
h="$(perl -MPOSIX -le 'chomp($p=$ARGV[0]); @i = ("a".."z", "A".."Z", 0..9, ".", "/"); $s .= $i[rand @i] for 1..16; print crypt($p, "\$$s");' -- "$p")"
unset p

Now we can use Salt to create the user:

# What the account should look like in /etc/passwd
svcaudit:x:33333:103:System Audit:/home/svcaudit:/bin/bash

# How to add it with Salt
salt --output=txt -L "$(cat server_list.txt)" user.add svcaudit
uid=33333 gid=103 groups=sysadmins home=/home/svcaudit shell=/bin/bash
fullname="System Audit"

And set the user’s password:

# Use Salt to propagate the hash to the servers on your list'
salt --output=txt -L "$(cat server_list.txt)" shadow.set_password svcaudit "$h"