Browse Source

Use seed for password hashing

Thanks: Peter Palfrader <weasel@debian.org> for this bringing up while reviewing the script
merge-requests/109/head
Michael Prokop 10 years ago
parent
commit
e9015573d0
  1. 10
      puppet/apply.sh
  2. 4
      puppet/jenkins_debian_glue.pp

10
puppet/apply.sh

@ -14,7 +14,14 @@ if [ $# -lt 1 ] ; then
exit 1
fi
PASSWORD_HASH=$(echo -n "${1}{jenkins-debian-glue}" | sha256sum | awk '{print $1}')
SEED=$(head -c 12 /dev/urandom | base64)
if [ -z "$SEED" ] ; then
echo "Error calculating seed. :(" >&2
exit 1
fi
PASSWORD_HASH=$(echo -n "${1}"{"${SEED}"} | sha256sum | awk '{print $1}')
if [ -z "$PASSWORD_HASH" ] ; then
echo "Error calculating password hash. :(" >&2
@ -48,6 +55,7 @@ if ! grep -q PASSWORD_HASH_TO_BE_ADJUSTED jenkins_debian_glue.pp ; then
else
printf "Adjusting password in jenkins_debian_glue.pp: "
sed -i "s/PASSWORD_HASH_TO_BE_ADJUSTED/$PASSWORD_HASH/" jenkins_debian_glue.pp || exit 1
sed -i "s/SEED_TO_BE_ADJUSTED/$SEED/" jenkins_debian_glue.pp || exit 1
echo OK
fi

4
puppet/jenkins_debian_glue.pp

@ -409,7 +409,7 @@ class jenkins::config {
require => File['/var/lib/jenkins/users/'],
}
# PASSWORD_HASH will be adjusted by jenkins-debian-glue's apply.sh script
# SEED_TO_BE_ADJUSTED and PASSWORD_HASH will be adjusted by jenkins-debian-glue's apply.sh script
file { '/var/lib/jenkins/users/jenkins-debian-glue/config.xml':
ensure => present,
mode => '0644',
@ -438,7 +438,7 @@ class jenkins::config {
<insensitiveSearch>false</insensitiveSearch>
</hudson.search.UserSearchProperty>
<hudson.security.HudsonPrivateSecurityRealm_-Details>
<passwordHash>jenkins-debian-glue:PASSWORD_HASH_TO_BE_ADJUSTED</passwordHash>
<passwordHash>SEED_TO_BE_ADJUSTED:PASSWORD_HASH_TO_BE_ADJUSTED</passwordHash>
</hudson.security.HudsonPrivateSecurityRealm_-Details>
<hudson.tasks.Mailer_-UserProperty>
<emailAddress>jenkins@example.org</emailAddress>

Loading…
Cancel
Save