salt.auth.file

Provide authentication using local files

New in version Oxygen.

The file auth module allows simple authentication via local files. Different filetypes are supported, including:

  1. Text files, with passwords in plaintext or hashed
  2. Apache-style htpasswd files
  3. Apache-style htdigest files

Note

The python-passlib library is required when using a ^filetype of htpasswd or htdigest.

The simplest example is a plaintext file with usernames and passwords:

external_auth:
  file:
    ^filename: /etc/insecure-user-list.txt
    gene:
      - .*
    dean:
      - test.*

In this example the /etc/insecure-user-list.txt file would be formatted as so:

dean:goneFishing
gene:OceanMan

^filename is the only required parameter. Any parameter that begins with a ^ is passed directly to the underlying file authentication function via kwargs, with the leading ^ being stripped.

The text file option is configurable to work with legacy formats:

external_auth:
  file:
    ^filename: /etc/legacy_users.txt
    ^filetype: text
    ^hashtype: md5
    ^username_field: 2
    ^password_field: 3
    ^field_separator: '|'
    trey:
      - .*

This would authenticate users against a file of the following format:

46|trey|16a0034f90b06bf3c5982ed8ac41aab4
555|mike|b6e02a4d2cb2a6ef0669e79be6fd02e4
2001|page|14fce21db306a43d3b680da1a527847a
8888|jon|c4e94ba906578ccf494d71f45795c6cb

Note

The hashutil.digest execution function is used for comparing hashed passwords, so any algorithm supported by that function will work.

There is also support for Apache-style htpasswd and htdigest files:

external_auth:
  file:
    ^filename: /var/www/html/.htusers
    ^filetype: htpasswd
    cory:
      - .*

When using htdigest the ^realm must be set:

external_auth:
  file:
    ^filename: /var/www/html/.htdigest
    ^filetype: htdigest
    ^realm: MySecureRealm
    cory:
      - .*
salt.auth.file.auth(username, password)

File based authentication

^filename
The path to the file to use for authentication.
^filetype

The type of file: text, htpasswd, htdigest.

Default: text

^realm
The realm required by htdigest authentication.

Note

The following parameters are only used with the text filetype.

^hashtype

The digest format of the password. Can be plaintext or any digest available via hashutil.digest.

Default: plaintext

^field_separator

The character to use as a delimiter between fields in a text file.

Default: :

^username_field

The numbered field in the text file that contains the username, with numbering beginning at 1 (one).

Default: 1

^password_field

The numbered field in the text file that contains the password, with numbering beginning at 1 (one).

Default: 2