set password to never expire for a user

[Stuart Cracraft]

Hi,

What is the Puppet directive to ensure a password never expires?

Stuart

[Eugene Vilensky]

On Mon, Nov 25, 2013 at 11:25 AM, Stuart Cracraft <smcra...@gmail.com> wrote:
> What is the Puppet directive to ensure a password never expires?

Hi Stuart,

A password property like that is usually operating system specific,
and as such, you're looking for documentation about whether your
operating system's password provider supports it:

http://docs.puppetlabs.com/references/latest/type.html#user

Cheers

[Stuart Cracraft]

I used:

  user { "someuser":

      :

      password_max_age => '200000',

      :

  }

puppet describe user

shows password_max_age can be set to a big number which represents days to expiration

for the given user.

Unfortunately, it doesn't also say something like "infinite" for forever...

Stuart

[Matthew Burgess]

On 25 November 2013 21:58, Stuart Cracraft <smcra...@gmail.com> wrote:

puppet describe user

shows password_max_age can be set to a big number which represents days to expiration

for the given user.

Unfortunately, it doesn't also say something like "infinite" for forever...

​chage(1) says:

​  "Passing the number -1 as the EXPIRE_DATE will remove an account expiration"

​So, you could try passing '-1' to password_max_age and see if that works.

Kind Regards,

Matt.

[Stuart Cracraft]

Notes with ++ inlined.

++ I doubt that either of us has the time to test infinity.

 

Kind Regards,

Matt.

[Matthew Burgess]

​LOL - yeah, 'chage -l' might be a bit quicker :)

[Stuart Cracraft]

I have direction to use puppet 

rather than the OS and exec...

--
You received this message because you are subscribed to a topic in the Google Groups "Puppet Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/RlAPEiRypME/unsubscribe.
To unsubscribe from this group and all its topics, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAKUTv3Kb%3DJuNt8D%3DBaxM7XP_oy%3DWwnb%2BRxma7i35mWzTt9x8KQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Matthew Burgess]

On 25 November 2013 23:11, Stuart Cracraft <smcra...@me.com> wrote:

I have direction to use puppet 

rather than the OS and exec...

​Not quite sure I understand. Are you saying that you can write puppet manifests to make all kinds of changes but you're not allowed to run 'chage -l <user>' to *report* what the state of a user is?  If so, that sounds very odd indeed. Even if that were the case, surely you have a dev system somewhere you could apply your manifest on, then run said command to check it did what you expected?

Regards,

Matt.

[Stuart Cracraft]

Notes with ++ inlined.

++ It is a simple puppet purist preference. I seek less reports and more automation. :-)

 

Regards,

Matt.

[jcbollinger]

On Monday, November 25, 2013 5:11:13 PM UTC-6, Stuart Cracraft wrote:

I have direction to use puppet 

rather than the OS and exec...

Possibly you are looking for the 'expiry' User property: http://docs.puppetlabs.com/references/3.stable/type.html#user-attribute-expiry

user { 'alice':
  # ...
  expiry => 'absent'
}

It's a bit unclear to me, though, whether there is a distinction between the user's password expiring and the user itself expiring.  Probably what you get with that is 'chage -E' or an appropriate local analog.

Alternatively, you may be looking for the 'max_password_age' User property: http://docs.puppetlabs.com/references/3.stable/type.html#user-attribute-password_max_age.  Inasmuch as that looks to be designed to be backed by 'chage -M' or a local equivalent, this may do what you want:

user { 'bob':
  # ...
  max_password_age => -1
}


John

[Stuart Cracraft]

password_max_age is less destructive. I chose it.