Security

Synchronizing the passwd file between Splunk servers with a shared splunk.secret

dflodstrom
Builder

My goal is to update the Splunk admin password across newly configured instances using the same password. These servers all have the same splunk.secret, so I figured I could share the $SPLUNK_HOME/etc/passwd file after updating it on one instance.

Before sharing the passwd file, I changed the admin password on a couple of instances and noticed that the hashed value in passwd isn't consistent. Is this the expected behavior?

0 Karma
1 Solution

dflodstrom
Builder

I've copied the contents of passwd to another instance and successfully logged in with the new password. It seems that splunk generates different hashes but is somehow able to decipher them.

I'd like someone else to confirm this behavior before I select my own answer

View solution in original post

0 Karma

xpac
SplunkTrust
SplunkTrust

I know this is an old question, but was the first Google result so I thought I'd give it an update.

Sharing the passwd file works without a shared splunk.secret.

Let's take an example line from a passwd file:
:admin:$6$sG0AOkrCThdXQjTF$5Aiq4/slyL4ve0eKrP/iIUP3kE15S2aJOBWrn1YXZzp3o8eqs1luBK8XBBX93ZHg1y6X.Bs5NqTDB98OqSX6Z1::Administrator:admin:changeme@example.com:::32683

  • The $6$ at the beginning indicates a SHA512 hash.
  • A so-called salt is saved between the $6$ and the next $ - in this case sG0AOkrCThdXQjTF. It is selected randomly and different each time the password is set/changed. Read more about why salts are used here: Salt@Wikipedia
  • The final string after the $ is the actual password hash. Even if you set the same password every time, it will be different each time, because a new salt will be randomly chosen and added to the password before it's hashed. In this case, the hash is 5Aiq4/slyL4ve0eKrP/iIUP3kE15S2aJOBWrn1YXZzp3o8eqs1luBK8XBBX93ZHg1y6X.Bs5NqTDB98OqSX6Z1.

However, when a user tries to login, Splunk takes the salt stored in the passwd file instead of selecting a random one, adds the salt to the password the user entered, and runs that string through the SHA512 function. If the result of that operation matches the string after the $, it's considered the right password.

That is the reason that the same password results in different strings on different instances, but you can just copy them over.
Again - no shared splunk.secret required.

Hope that helps @dflodstrom!

ridwanahmed
Path Finder

Yes, it is the expected behavior for the hashed values of the same password to be different-- this is because there is a "salt" added when the password is passed through the hashing algorithm . (This makes it more difficult to reverse-engineer passwords from hashed results).

0 Karma

dflodstrom
Builder

I've copied the contents of passwd to another instance and successfully logged in with the new password. It seems that splunk generates different hashes but is somehow able to decipher them.

I'd like someone else to confirm this behavior before I select my own answer

0 Karma

dflodstrom
Builder

I've tested this on several different instances. I can copy the contents of $SPLUNK_HOME/etc/passwd to any other instance that shares a splunk.secret. If the instances are left to create the passwd file by themselves they will create a different hash value representing the same password that can be use on other hosts with a shared splunk.secret. Hopefully someone else finds this useful. Please comment if you've seen other behavior.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...