class HashCheck

Public Instance Methods

deploy() click to toggle source
# File lib/dust/recipes/hash_check.rb, line 4
def deploy
  # those keys indicate that no password is set, or login is disabled
  keys = [ '*', '!', '!!', '', 'LK', 'NP' ]

  weak_passwords = File.open "#{@template_path}/weak_passwords", 'r'

  shadow = @node.exec('getent shadow')[:stdout]
  @node.messages.add("checking for weak password hashes\n")

  found_weak = false
  shadow.each_line do |line|
    user, hash = line.split(':')[0..1]
    next if keys.include? hash
    method, salt = hash.split('$')[1..2]

    weak_passwords.each_line do |password|
      password.chomp!

      # python was imho the best solution to generate /etc/shadow hashes.
      # mkpasswd doesn't work on centos-like machines :/
      # and python is more likely installed than ruby
      ret = @node.exec("python -c \"import crypt; print(crypt.crypt('#{password}', '\\$#{method}\\$#{salt}\\$'));\"")

      unless ret[:exit_code] == 0
        return @node.messages.add('error during hash creation (is python installed?)').failed
      end
      if hash == ret[:stdout].chomp
        @node.messages.add("user #{user} has a weak password! (#{password})", :indent => 2).failed
        found_weak = true
      end
    end
  end

  weak_passwords.close
  @node.messages.add('none found.', :indent => 2).ok unless found_weak
end