Use usermod(8) on OpenBSD to unbreak password management#294
Merged
corporate-gadfly merged 1 commit intoOpenVoxProject:mainfrom Mar 21, 2026
Merged
Conversation
Contributor
Author
|
This is a cleaner version of what is already committed to OpenBSD's openvox package: https://github.com/openbsd/ports/blob/e3c8d71c07071f2171821b5b2bfb6f1702ce3466/sysutils/ruby-openvox/8/patches/patch-lib_puppet_provider_user_useradd_rb |
klemensn
force-pushed
the
user-password-openbsd
branch
from
bf7bb72 to
372aa8f
Compare
Contributor
Author
|
Linters are happy, tests used in CI seem broken and report failures entirely unrelated to this PR. |
klemensn
force-pushed
the
user-password-openbsd
branch
from
372aa8f to
1d8bd7a
Compare
Contributor
Author
|
@bastelfreak OK to merge? |
Contributor
Author
|
@buzzdeee Perhaps you want to take a look at this, too? We're already running with a slightly different patch in our port/package, behaviour is identical, though. |
Contributor
|
in the port/package, we have it addressed in lib/puppet/provider/user/useradd_rb which likely breaks other OS. This is much cleaner, tested creating users, and updating password: works for me. |
klemensn
force-pushed
the
user-password-openbsd
branch
2 times, most recently
from
0f3c99b to
c750d9b
Compare
f1e77c2 "(PUP-3634) Hide password hash from process list for useradd" introduced `chpasswd -e` which does not exist on OpenBSD, thus `user` resources managing `password` would always fail: ``` Notice: Compiled catalog for atar in environment production in 0.02 seconds rror: Could not set password on user[test]: No command chpasswd defined for provider openbsd Error: /Stage[main]/Main/User[test]/password: change from [redacted] to [redacted] failed: Could not set password on user[test]: No command chpasswd defined for provider openbsd Notice: Applied catalog in 0.01 seconds ``` Use https://man.openbsd.org/usermod.8#p instead: ``` Notice: Compiled catalog for atar in environment production in 0.01 seconds Notice: /Stage[main]/Main/User[test]/password: changed [redacted] to [redacted] Notice: Applied catalog in 0.21 seconds ``` `password` values now do show up briefly in the process list, but given they must be encrypted in order to work, this does not seem critical.
klemensn
force-pushed
the
user-password-openbsd
branch
from
c750d9b to
8a2d027
Compare
corporate-gadfly
approved these changes
Mar 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
f1e77c2 "(PUP-3634) Hide password hash from process list for useradd"
introduced
chpasswd -ewhich does not exist on OpenBSD, thususerresources managing
passwordwould always fail:Use https://man.openbsd.org/usermod.8#p instead:
passwordvalues now do show up briefly in the process list, but giventhey must be encrypted in order to work, this does not seem critical.