Provide authentication using local files
New in version 2018.3.0.
The file auth module allows simple authentication via local files. Different filetypes are supported, including:
- Text files, with passwords in plaintext or hashed
- Apache-style htpasswd files
- Apache-style htdigest files
Note
The python-passlib
library is required when using a ^filetype
of
htpasswd
or htdigest
.
The simplest example is a plaintext file with usernames and passwords:
external_auth:
file:
^filename: /etc/insecure-user-list.txt
gene:
- .*
dean:
- test.*
In this example the /etc/insecure-user-list.txt
file would be formatted
as so:
dean:goneFishing
gene:OceanMan
^filename
is the only required parameter. Any parameter that begins with
a ^
is passed directly to the underlying file authentication function
via kwargs
, with the leading ^
being stripped.
The text file option is configurable to work with legacy formats:
external_auth:
file:
^filename: /etc/legacy_users.txt
^filetype: text
^hashtype: md5
^username_field: 2
^password_field: 3
^field_separator: '|'
trey:
- .*
This would authenticate users against a file of the following format:
46|trey|16a0034f90b06bf3c5982ed8ac41aab4
555|mike|b6e02a4d2cb2a6ef0669e79be6fd02e4
2001|page|14fce21db306a43d3b680da1a527847a
8888|jon|c4e94ba906578ccf494d71f45795c6cb
Note
The hashutil.digest
execution
function is used for comparing hashed passwords, so any algorithm
supported by that function will work.
There is also support for Apache-style htpasswd
and htdigest
files:
external_auth:
file:
^filename: /var/www/html/.htusers
^filetype: htpasswd
cory:
- .*
When using htdigest
the ^realm
must be set:
external_auth:
file:
^filename: /var/www/html/.htdigest
^filetype: htdigest
^realm: MySecureRealm
cory:
- .*
salt.auth.file.
auth
(username, password)¶File based authentication
The type of file: text
, htpasswd
, htdigest
.
Default: text
Note
The following parameters are only used with the text
filetype.
The digest format of the password. Can be plaintext
or any digest
available via hashutil.digest
.
Default: plaintext
The character to use as a delimiter between fields in a text file.
Default: :
The numbered field in the text file that contains the username, with numbering beginning at 1 (one).
Default: 1
The numbered field in the text file that contains the password, with numbering beginning at 1 (one).
Default: 2