jenkins_user creates user with blank password by default

[foogod]

Cookbook version

4.2.1

Chef-client version

12.18.31

Platform Details

CentOS Linux release 7.3.1611 (core) (AWS EC2 instance)

Scenario:

when jenkins_user is used to create a user account, by default, it creates one with a password set to "", which means anybody can use it to login to Jenkins without supplying a password. It appears there is a password resource attribute which can be used to set the password, but it is completely undocumented so nobody would know to use it, and if not supplied, defaults to being wide-open.

This is actually made even worse because under "Caveats" in the README, it actually recommends to use the following to set up an authenticated user for Chef to use, which if used as directed makes the 'chef' user able to be logged into by anybody without a password, completely undermining the security of the system:

# Create the Jenkins user with the public key
jenkins_user 'chef' do
  public_keys [public_key]
end

If the password attribute is not specified in a jenkins_user resource, ideally the user account should be set such that the ability to login via password completely disabled.

(as a side-note, it would also be nice if there was some way to specify the password as an already-hashed value, such that it could be supplied to the resource without having to be stored in cleartext in Chef. If this were implemented, it might also be possible to implement the no-password state by just defaulting to an invalid hash for the pre-hashed value)

[tknerr]

For what it's worth, I'm currently using this to prevent anyone (including myself ;)) logging in with the chef run user:

# Create the Jenkins user with the public key
jenkins_user 'chef' do
  public_keys [public_key]
  password SecureRandom.uuid
end