salt.auth.file
Provide authentication using local files
New in version 2018.3.0.
The file auth module allows simple authentication via local files. Different filetypes are supported, including:
Text files, with passwords in plaintext or hashed
Apache-style htpasswd files
Apache-style htdigest files
Note
The python-passlib
library is required when using a ^filetype
of htpasswd
or htdigest
.
The simplest example is a plaintext file with usernames and passwords:
external_auth: file: ^filename: /etc/insecure-user-list.txt gene: - .* dean: - test.*
In this example the /etc/insecure-user-list.txt
file would be formatted as so:
dean:goneFishing gene:OceanMan
^filename
is the only required parameter. Any parameter that begins with a ^
is passed directly to the underlying file authentication function via kwargs
, with the leading ^
being stripped.
The text file option is configurable to work with legacy formats:
external_auth: file: ^filename: /etc/legacy_users.txt ^filetype: text ^hashtype: md5 ^username_field: 2 ^password_field: 3 ^field_separator: '|' trey: - .*
This would authenticate users against a file of the following format:
46|trey|16a0034f90b06bf3c5982ed8ac41aab4 555|mike|b6e02a4d2cb2a6ef0669e79be6fd02e4 2001|page|14fce21db306a43d3b680da1a527847a 8888|jon|c4e94ba906578ccf494d71f45795c6cb
Note
The hashutil.digest
execution function is used for comparing hashed passwords, so any algorithm supported by that function will work.
There is also support for Apache-style htpasswd
and htdigest
files:
external_auth: file: ^filename: /var/www/html/.htusers ^filetype: htpasswd cory: - .*
When using htdigest
the ^realm
must be set:
external_auth: file: ^filename: /var/www/html/.htdigest ^filetype: htdigest ^realm: MySecureRealm cory: - .*
-
File based authentication
- ^filename
-
The path to the file to use for authentication.
- ^filetype
-
The type of file:
text
,htpasswd
,htdigest
.Default:
text
- ^realm
-
The realm required by htdigest authentication.
Note
The following parameters are only used with the
text
filetype.- ^hashtype
-
The digest format of the password. Can be
plaintext
or any digest available viahashutil.digest
.Default:
plaintext
- ^field_separator
-
The character to use as a delimiter between fields in a text file.
Default:
:
- ^username_field
-
The numbered field in the text file that contains the username, with numbering beginning at 1 (one).
Default:
1
- ^password_field
-
The numbered field in the text file that contains the password, with numbering beginning at 1 (one).
Default:
2
salt.auth.file.auth(username, password)
© 2021 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltproject.io/en/latest/ref/auth/all/salt.auth.file.html