I am trying to have Puppet automate the deployment of Splunk in my environment(s), however I do not know the password hashing algorithm Splunk uses (as of Splunk Enterprise v6.2.2) to dynamically add hashes directly to configuration files.
Does anyone know the algorithm?
I've tried using openssl and guessing the hash, e.g. SHA1/256/512, MD5, but the output is not the same since the strings are alphanumeric whereas the hashes in the Splunk configuration files are a mix of alpha and non-alphanumeric characters.
One of the method to resolve the issue is to get the password hashed the same way on each instance.
To achieve this, you need to unify your splunk.secret key (in $SPLUNK_HOME/etc/auth/splunk.secret. )
Then when you prepare your config on a separate server that has the same splunk.secret , you restart splunk to apply them, and get the password encrypted in the local folders. Then you can push this pre-hashed file that all the other servers will be able to read.
Preferably before you start splunk the first time.
Or if you do change it afterward, you will have to clear some files to have them being rehashed.
in $SPLUNK_HOME/etc/passwd $SPLUNK_HOME/etc/system/local/server.conf
and optionally authentication.conf, outputs.conf, inputs.conf, and other special apps passwords fields.