/dev/blog

Puppet needs user passwords in configuration files to be encrypted in the format the local system expects. For Linux and most unix-like system, that means, you have to put the sha1 sum of the password into the configuration file.

There are quite a few ways to generate those password hashes, e.g.

$ openssl passwd -1
  Password: 
  Verifying - Password: 
  $1$HTQx9U32$T6.lLkYxCp3F/nGc4DCYM/

You can then take the hash string and use it as password in a puppet configuration (e.g. http://docs.puppetlabs.com/references/stable/type.html#user)

user { 'root':
  ensure           => 'present',
  password         => '$1$HTQx9U32$T6.lLkYxCp3F/nGc4DCYM/',
}

Be sure to put the password in single quotes if it contains a dollar sign ($) to ensure that puppet does interpret those as variables.