def check_password(username, password, encrypted=False):
'''
Check if passed password is the one assigned to user
.. code-block: bash
salt '*' nxos.cmd check_password username=admin password=admin
salt '*' nxos.cmd check_password username=admin \
password='******' \
encrypted=True
'''
hash_algorithms = {
'1': 'md5',
'2a': 'blowfish',
'5': 'sha256',
'6': 'sha512',
}
password_line = get_user(username)
if not password_line:
return None
if '!!' in password_line:
return False
cur_hash = re.search(r'(\$[0-6](?:\$[^$ ]+)+)', password_line).group(0)
if encrypted is False:
hash_type, cur_salt, hashed_pass = re.search(
r'^\$([0-6])\$([^$]+)\$(.*)$', cur_hash).groups()
new_hash = gen_hash(crypt_salt=cur_salt,
password=password,
algorithm=hash_algorithms[hash_type])
else:
new_hash = password
if new_hash == cur_hash:
return True
return False
def set_password(
username,
password,
encrypted=False,
role=None,
crypt_salt=None,
algorithm="sha256",
**kwargs
):
"""
Set users password on switch.
username
Username to configure
password
Password to configure for username
encrypted
Whether or not to encrypt the password
Default: False
role
Configure role for the username
Default: None
crypt_salt
Configure crypt_salt setting
Default: None
algorithm
Encryption algorithm
Default: sha256
save_config
If False, don't save configuration commands to startup configuration.
If True, save configuration to startup configuration.
Default: True
.. code-block:: bash
salt '*' nxos.set_password admin TestPass
salt '*' nxos.set_password admin \\
password='******' \\
encrypted=True
"""
if algorithm == "blowfish":
raise SaltInvocationError("Hash algorithm requested isn't available on nxos")
get_user(username, **kwargs) # verify user exists
if encrypted is False:
hashed_pass = gen_hash(
crypt_salt=crypt_salt, password=password, algorithm=algorithm
)
else:
hashed_pass = password
password_line = "username {} password 5 {}".format(username, hashed_pass)
if role is not None:
password_line += " role {}".format(role)
kwargs = clean_kwargs(**kwargs)
return config(password_line, **kwargs)
def set_password(username, password, encrypted=False, role=None, crypt_salt=None, algorithm='sha256'):
'''
Set users password on switch
.. code-block:: bash
salt '*' nxos.cmd set_password admin TestPass
salt '*' nxos.cmd set_password admin \\
password='******' \\
encrypted=True
'''
password_line = get_user(username)
if encrypted is False:
if crypt_salt is None:
# NXOS does not like non alphanumeric characters. Using the random module from pycrypto
# can lead to having non alphanumeric characters in the salt for the hashed password.
crypt_salt = secure_password(8, use_random=False)
hashed_pass = gen_hash(crypt_salt=crypt_salt, password=password, algorithm=algorithm)
else:
hashed_pass = password
password_line = 'username {0} password 5 {1}'.format(username, hashed_pass)
if role is not None:
password_line += ' role {0}'.format(role)
try:
sendline('config terminal')
ret = sendline(password_line)
sendline('end')
sendline('copy running-config startup-config')
return '\n'.join([password_line, ret])
except TerminalException as e:
log.error(e)
return 'Failed to set password'
def set_password(username, password, encrypted=False, role=None, crypt_salt=None, algorithm='sha256'):
'''
Set users password on switch
.. code-block:: bash
salt '*' nxos.cmd set_password admin TestPass
salt '*' nxos.cmd set_password admin \\
password='******' \\
encrypted=True
'''
password_line = get_user(username)
if encrypted is False:
if crypt_salt is None:
# NXOS does not like non alphanumeric characters. Using the random module from pycrypto
# can lead to having non alphanumeric characters in the salt for the hashed password.
crypt_salt = secure_password(8, use_random=False)
hashed_pass = gen_hash(crypt_salt=crypt_salt, password=password, algorithm=algorithm)
else:
hashed_pass = password
password_line = 'username {0} password 5 {1}'.format(username, hashed_pass)
if role is not None:
password_line += ' role {0}'.format(role)
try:
sendline('config terminal')
ret = sendline(password_line)
sendline('end')
sendline('copy running-config startup-config')
return '\n'.join([password_line, ret])
except TerminalException as e:
log.error(e)
return 'Failed to set password'
def check_password(username, password, encrypted=False):
'''
Check if passed password is the one assigned to user
.. code-block: bash
salt '*' nxos.cmd check_password username=admin password=admin
salt '*' nxos.cmd check_password username=admin \\
password='******' \\
encrypted=True
'''
hash_algorithms = {'1': 'md5',
'2a': 'blowfish',
'5': 'sha256',
'6': 'sha512', }
password_line = get_user(username)
if not password_line:
return None
if '!!' in password_line:
return False
cur_hash = re.search(r'(\$[0-6](?:\$[^$ ]+)+)', password_line).group(0)
if encrypted is False:
hash_type, cur_salt, hashed_pass = re.search(r'^\$([0-6])\$([^$]+)\$(.*)$', cur_hash).groups()
new_hash = gen_hash(crypt_salt=cur_salt, password=password, algorithm=hash_algorithms[hash_type])
else:
new_hash = password
if new_hash == cur_hash:
return True
return False
def check_password(username, password, encrypted=False):
"""
Check if passed password is the one assigned to user
.. code-block:: bash
salt '*' nxos.cmd check_password username=admin password=admin
salt '*' nxos.cmd check_password username=admin \\
password='******' \\
encrypted=True
"""
hash_algorithms = {
"1": "md5",
"2a": "blowfish",
"5": "sha256",
"6": "sha512",
}
password_line = get_user(username)
if not password_line:
return None
if "!!" in password_line:
return False
cur_hash = re.search(r"(\$[0-6](?:\$[^$ ]+)+)", password_line).group(0)
if encrypted is False:
hash_type, cur_salt, hashed_pass = re.search(
r"^\$([0-6])\$([^$]+)\$(.*)$", cur_hash).groups()
new_hash = gen_hash(crypt_salt=cur_salt,
password=password,
algorithm=hash_algorithms[hash_type])
else:
new_hash = password
if new_hash == cur_hash:
return True
return False
def set_password(username,
password,
encrypted=False,
role=None,
crypt_salt=None,
algorithm='sha256',
**kwargs):
'''
Set users password on switch.
username
Username to configure
password
Password to configure for username
encrypted
Whether or not to encrypt the password
Default: False
role
Configure role for the username
Default: None
crypt_salt
Configure crypt_salt setting
Default: None
alogrithm
Encryption algorithm
Default: sha256
no_save_config
If True, don't save configuration commands to startup configuration.
If False, save configuration to startup configuration.
Default: False
.. code-block:: bash
salt '*' nxos.cmd set_password admin TestPass
salt '*' nxos.cmd set_password admin \\
password='******' \\
encrypted=True
'''
password_line = get_user(username, **kwargs)
if encrypted is False:
if crypt_salt is None:
# NXOS does not like non alphanumeric characters. Using the random module from pycrypto
# can lead to having non alphanumeric characters in the salt for the hashed password.
crypt_salt = secure_password(8, use_random=False)
hashed_pass = gen_hash(crypt_salt=crypt_salt,
password=password,
algorithm=algorithm)
else:
hashed_pass = password
password_line = 'username {0} password 5 {1}'.format(username, hashed_pass)
if role is not None:
password_line += ' role {0}'.format(role)
return config(password_line, **kwargs)
def gen_password():
"""
generate a password and hash it
"""
password = "".join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
hashed_pwd = gen_hash("salt", password, "sha512")
return password, hashed_pwd
def gen_password():
'''
generate a password and hash it
'''
password = ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
hashed_pwd = gen_hash('salt', password, 'sha512')
return password, hashed_pwd
def gen_password():
"""
generate a password and hash it
"""
password = "".join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
hashed_pwd = (password if salt.utils.platform.is_darwin() else gen_hash(
"salt", password, "sha512"))
return password, hashed_pwd
def check_password(username, password, encrypted=False, **kwargs):
"""
Verify user password.
username
Username on which to perform password check
password
Password to check
encrypted
Whether or not the password is encrypted
Default: False
.. code-block: bash
salt '*' nxos.check_password username=admin password=admin
salt '*' nxos.check_password username=admin \\
password='******' \\
encrypted=True
"""
hash_algorithms = {
"1": "md5",
"2a": "blowfish",
"5": "sha256",
"6": "sha512",
}
password_line = get_user(username, **kwargs)
if not password_line:
return None
if "!" in password_line:
return False
cur_hash = re.search(r"(\$[0-6](?:\$[^$ ]+)+)", password_line).group(0)
if encrypted is False:
hash_type, cur_salt, hashed_pass = re.search(
r"^\$([0-6])\$([^$]+)\$(.*)$", cur_hash
).groups()
new_hash = gen_hash(
crypt_salt=cur_salt,
password=password,
algorithm=hash_algorithms[hash_type],
force=True,
)
else:
new_hash = password
if new_hash == cur_hash:
return True
return False
def gen_password():
'''
generate a password and hash it
'''
alphabet = ('abcdefghijklmnopqrstuvwxyz'
'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ')
password = ''
# generate password
for _ in range(20):
next_index = random.randrange(len(alphabet))
password += alphabet[next_index]
# hash the password
hashed_pwd = gen_hash('salt', password, 'sha512')
return (password, hashed_pwd)
def gen_password():
'''
generate a password and hash it
'''
alphabet = ('abcdefghijklmnopqrstuvwxyz'
'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ')
password = ''
# generate password
for _ in range(20):
next_index = random.randrange(len(alphabet))
password += alphabet[next_index]
# hash the password
hashed_pwd = gen_hash('salt', password, 'sha512')
return (password, hashed_pwd)
def check_password(username, password, encrypted=False, **kwargs):
'''
Verify user password.
username
Username on which to perform password check
password
Password to check
encrypted
Whether or not the password is encrypted
Default: False
.. code-block: bash
salt '*' nxos.cmd check_password username=admin password=admin
salt '*' nxos.cmd check_password username=admin \\
password='******' \\
encrypted=True
'''
hash_algorithms = {
'1': 'md5',
'2a': 'blowfish',
'5': 'sha256',
'6': 'sha512',
}
password_line = get_user(username, **kwargs)
if not password_line:
return None
if '!' in password_line:
return False
cur_hash = re.search(r'(\$[0-6](?:\$[^$ ]+)+)', password_line).group(0)
if encrypted is False:
hash_type, cur_salt, hashed_pass = re.search(
r'^\$([0-6])\$([^$]+)\$(.*)$', cur_hash).groups()
new_hash = gen_hash(crypt_salt=cur_salt,
password=password,
algorithm=hash_algorithms[hash_type])
else:
new_hash = password
if new_hash == cur_hash:
return True
return False
def test_pam_auth_valid_user(self):
'''
test pam auth mechanism is working with a valid user
'''
alphabet = ('abcdefghijklmnopqrstuvwxyz'
'0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ')
self.password = ''
# generate password
for _ in range(20):
next_index = random.randrange(len(alphabet))
self.password = self.password + alphabet[next_index]
# hash the password
from salt.utils.pycrypto import gen_hash
pwd = gen_hash('salt', self.password, 'sha512')
self.run_call("shadow.set_password saltdev '{0}'".format(pwd))
cmd = ('-a pam "*"'
' test.ping --username {0}'
' --password {1}'.format('saltdev', self.password))
resp = self.run_salt(cmd)
self.assertTrue('minion:' in resp)
