Puppet for password management
1,247 views
Skip to first unread message
Geoff Newell
Oct 2, 2008, 5:01:09 PM10/2/08
to puppet...@googlegroups.com
I'm working on a turnkey Linux system where the post build config is handled with puppet.
One of the unique constraints with a turnkey system is that passwords are essentially set at build time and then stay fixed for the life of the product.
I was wondering if anyone had used puppet to manage user passwords?
The 'user' type supports an encrypted hash, but ideally I need the facility of passing in a plaintext password, md5 hash it and then have puppet idempotently check it's been set.
Thoughts?
Geoff.
One of the unique constraints with a turnkey system is that passwords are essentially set at build time and then stay fixed for the life of the product.
I was wondering if anyone had used puppet to manage user passwords?
The 'user' type supports an encrypted hash, but ideally I need the facility of passing in a plaintext password, md5 hash it and then have puppet idempotently check it's been set.
Thoughts?
Geoff.
Marti
Oct 2, 2008, 9:26:42 PM10/2/08
to Puppet Users
I've done that on openbsd systems with something like this:
exec { "setpass $name":
onlyif => "grep '^$name:\*' /etc/master.passwd",
command => "usermod -p '$pwstring' $name",
require => User[$name],
}
Note that the onlyif on this command is intended to set the password
only on accounts that have none, so you'll have to modify it to fit
your needs. $pwstring is a pre-hashed password, for obvious reasons.
HTH,
Marti
exec { "setpass $name":
onlyif => "grep '^$name:\*' /etc/master.passwd",
command => "usermod -p '$pwstring' $name",
require => User[$name],
}
Note that the onlyif on this command is intended to set the password
only on accounts that have none, so you'll have to modify it to fit
your needs. $pwstring is a pre-hashed password, for obvious reasons.
HTH,
Marti
Mike Pountney
Oct 3, 2008, 3:41:38 PM10/3/08
to puppet...@googlegroups.com
You can do this via shelling out via generate() on the puppetmaster:
$salt = 'dqwdqaom'
$password = 'mycleartextpassword'
$md5_password = generate('/bin/sh', '-c', "/usr/bin/mkpasswd -H md5 -S
$salt '$passwd' | tr -d '\n'")
Ugly, but it works.
The pretty way of doing this would be to create a custom function.
We're intending on doing this, but it's not there yet.
Cheers,
Mike
AJ Christensen (Fujin)
Oct 4, 2008, 12:51:25 AM10/4/08
to Puppet Users
I wrote a parser func that relies on mkpasswd on the master ages ago:
http://pastie.org/pastes/222996
## mkpasswd("password", "12345678")
# needs an 8-char salt *always*
module Puppet::Parser::Functions
newfunction(:mkpasswd, :type => :rvalue) do |args|
%x{/usr/bin/mkpasswd -H MD5 #{args[0]} #{args[1]}}.chomp
end
end
## usage [plain_text]
$pw = mkpasswd("test", "12345678")
notify { $pw: }
## output [plain_text]
notice: //Node[junglist]/Notify[$1$12345678$oEitTZYQtRHfNGmsFvTBA/]/
message: is absent, should be $1$12345678$oEitTZYQtRHfNGmsFvTBA/
http://pastie.org/pastes/222996
## mkpasswd("password", "12345678")
# needs an 8-char salt *always*
module Puppet::Parser::Functions
newfunction(:mkpasswd, :type => :rvalue) do |args|
%x{/usr/bin/mkpasswd -H MD5 #{args[0]} #{args[1]}}.chomp
end
end
## usage [plain_text]
$pw = mkpasswd("test", "12345678")
notify { $pw: }
## output [plain_text]
notice: //Node[junglist]/Notify[$1$12345678$oEitTZYQtRHfNGmsFvTBA/]/
message: is absent, should be $1$12345678$oEitTZYQtRHfNGmsFvTBA/
Reply all
Reply to author
Forward
0 new messages