I've searched around a good bit.. haven't found any official documentation on the topic.
On Splunk forwarders and indexers, Splunk stores users and their info in $SPLUNK_HOME/etc/passwd
Cat-ing the file on one of my forwarders looks like this:
:admin:<hashed-password>::Administrator:admin:changeme@example.com:
My two questions are:
- What is the full syntax for the passwd file? Some fields are obvious, but I still haven't found any offical docs on the syntax.
- How is the hashed password generated? Is it actually a hash, or a reversible encryption? In either case, what algorithm is used and how is it seeded?