I'm reading "Reliably Deploying Rails Applications"

Regarding defining users to be set up by Chef, it says:

“Next we need to define users, inside data_bags/users copy the file deploy.json.example to deploy.json.

Generate a password for your deploy user with the command:

openssl passwd -1 "plaintextpassword"

And update deploy.json accordingly.”

My question is, what is the purpose of openssl passwd? Is it just to generate a strong password? Would it be just as good if I typed in random characters?

And then, what is my 'actual' password? The plain text version, or the encrypted version? Do I need to save a copy of both to my password manager?

UPDATE:

Yes, I have read the manual. And yes, I understand that it generates an md5 encrypted version of my password. My question is more about why you'd use it, as opposed to using a very secure random string of characters that you make up yourself (or generate with a password generator).

One benefit I could think of is that you could type a rememberable password, and run it through openssl passwd -1 "plaintextpassword" every time you need to enter it. So you'd kind of have the best of both worlds in terms of an easy to remember password, and a secure, random password. And running the rememberable/plain text version through ``openssl passwd -1` every time you need it would save you having to store the encrypted version of the password and type / paste that in every time you need to enter your password.

Is that the only benefit? If not, what are the others?


The purpose of that command is to feed your password through a one-way hashing algorithm (-1 outputs MD5). What that gets you is a string that's derived from your password cryptographically, but cannot be used to find your password on its own if an attacker gets their hands on the hashed version (theoretically - there's a salt included which helps against rainbow tables, but an attacker can still brute force effectively against it).

Your password being run thorough the hashing function will always result in the same hash, which can then be compared by the server to the stored hash to verify that you have the same password as was run through the openssl command.


After some chat on the #chef IRC channel, here's what I ultimately needed to know. Most of it is actually peripheral info, rather than openssl passwd specific, but anyway...

Chef users the standard adduser command (http://linux.die.net/man/8/adduser) for adding users. That command accepts the password already encrypted - Hence why you need to store an encrypted version (generated by openssl passwd -1 "plaintextpassword") in your data_bags/users/deploy.json.

So, your plain-text password is the 'real' password. But because the adduser command expects the password you pass it to be already encrypted, it's the encrypted version that you need to store in data_bags/users/deploy.json

That works well, because you definitely wouldn't want to store a plain-text password in data_bags/users/deploy.json!

Coming back to my original questions:

What is my 'actual' password? The plain text version, or the encrypted version?
The plain text version is your real one.

Do I need to save a copy of both to my password manager? No. You only store your plain-text version. You use that whenever you want to log in. The system then encrypts that, and compares it to the encrypted version that it has stored for your account.

What is the benefit / purpose of openssl passwd?

There is no 'benefit' as such. It's simply required because the adduser command will expect the password it's given to be already encrypted.


Having said all that, apparently it's much better to not sore a password at all in data_bags/users/deploy.json, and only allow access via SSH Keys.

It's not considered a good practice to store even an encrypted version of your password in data_bags/users/deploy.json because Linux password encryption has such a bad track record. (edit: read comments below for a better explanation)