Creating user with random password (only once)

[wernerbahlke]

Hi,

I want to create a user with a random password. Is there a way to only
execute the manifest once when the user does not exist but not once
the user is created?

I know how to create a random password and can use generate to execute
this function (or make it a custom fact provided I get this fact
executed).

So far I call an add_user method define in a users module out of my
base class. Here is the code:

include users

users::add_user { 'testuser':
name => 'testuser',
uid => '777',
password => generate('/usr/local/bin/new_hash'),
shell => '/bin/csh',
groups => 'testuser',
}

But alas this will get executed every time the client runs since the
password will have changed due to the new generate call.

One work-around I could think of is to create the user on the client
(FreeBSD) using an exec calling the makepassword and pw command.

Then I could check for existance of the user in the masterpasswd file
with an unless check.

But I much prefer do this with Puppet natively.

Any suggestions will be greatly appreciated.

Werner

[Jeff McCune]

On Wed, Feb 8, 2012 at 11:30 AM, wernerbahlke <werner...@gmail.com> wrote:

Hi,

I want to create a user with a random password. Is there a way to only
execute the manifest once when the user does not exist but not once
the user is created?

For situations like this I use the puppet generate() function to create the random password and store it in a persistent data store on the master.  e.g. an SQLITE database or something.  This way, the password is generated randomly if it does not exist and the same password is used if it does already exist.

It's important to have the resource always be managed, that way if the password is changed on the managed node Puppet will realize this, change it to the value you're managing, and report that it did so.

-Jeff

[Dan White]

In one user management setup, I use htpasswd to create a random password just to secure the account.
Like this:

htpasswd -nmb whoever `mkpasswd` | cut -d: -f2 | passwd --stdin <username>

Then, with over-the-shoulder admin access, the user can set their own password.

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>

[Nan Liu]

On Wed, Feb 8, 2012 at 11:30 AM, wernerbahlke <werner...@gmail.com> wrote:

I was testing Steve Shipway's secret server module, there's a fact
that returns all the user password age to determine whether or not to
update the user password in secret server. You can see if something
similar would be useful:

https://github.com/nanliu/puppet-ss/blob/tb/hiera/lib/facter/ss_passwd_age.rb

Thanks,

Nan

[mukulm]

Also how can I use owner be set other than root as,

owner => ? ( want to set user as $USER )
group => ? ( want to set group as GROUP )
ensure => present,

Thanks
Mukulm

[siva kumar]

Dear Werner,

 

Good Morning !

 

I am also working with User Module in puppet (New to the puppet) ... But i am not getting how /where to implement randome password generation.

Below is my Module:

 

/etc/puppetlabs/puppet/modules/user/manifests/user.pp  :

 

#cat user.pp
define add_user ( $name, $uid, $groups, $shell, $password, $sshkeytype, $sshkey,$password_max_age, $password_min_age ) {

            $username = $title

            user { $username:
                    comment => "$name",
                    home    => "/home/$username",
                    shell   => "/bin/bash",
                    uid     => $uid,
                    password_max_age => "$password_max_age",
                    password_min_age => "$password_min_age"
            }

            group { $username:
                    gid     => $uid,
                    require => user[$username]
            }

            file { "/home/$username/":
                    ensure  => directory,
                    owner   => $username,
                    group   => $username,
                    mode    => 750,
                    require => [ user[$username], group[$username] ]
            }

            file { "/home/$username/.ssh":
                    ensure  => directory,
                    owner   => $username,
                    group   => $username,
                    mode    => 700,
                    require => file["/home/$username/"]
            }

            file { "/home/$username/.ssh/authorized_keys":
                    ensure  => present,
                    owner   => $username,
                    group   => $username,
                    mode    => 600,
                    require => file["/home/$username/"]
            }

                ssh_authorized_key{ $username:
                user => "$username",
                ensure => present,
                type => "$sshkeytype",
                key => "$sshkey",
                name => "$username"

            }
}
++++++++++++++++++++++++++++++++++++++++++++++++++++

/etc/puppetlabs/puppet/manifests/nodes.pp

 

node 'alvtutl032.wm.com' {

 user { installer:
  ensure => "absent"
 }
add_user { apple1:
        name    => "WM_admin_user",
        uid      => "3334",
        password_min_age => '2',
        password_max_age => '80000',
        password =>'$1$7NwLmsAf$25L8RI8v5gbirkPKLSulE/',
        shell => "/bin/bash",
        groups => ['apple1'],
        type => "ssh-dss",
sshkey => "AAAAB3NzaC1kc3MAAACBAJzMVL4afDQBJ3rcM9LlHqxg0rmkWDwoWehS4nIpBLJL9qGoyR1YBzPvpD1VufsUqgUXH9dYdfaiVum4IaTgyu2Tb0ezR4Nx2Jkcnp+8jFh/Cys3zgMvzJaIw/Au45E
9h4vBdwvouj1Sg0YaY5mGuKZ2w121uPLawjc3DJsNSc+jAAAAFQCb7+Vtir8w+o/CIDiSPXr6MVj16QAAAIBFHMnBixvQaxekLK70eR9TgYUAXsh0MHT8VT+XMUWlOC8u8yVEOTDzrU1ZL2vNWo4NZL6ex9ffx
0JRS5hSCU/o8aVcoC4viCC7SGmntNb0nQo+iKUyTQbGcmMoPG9lO498prML66GbOYWzTedc4XT683kyWV4k0iVixyvLsfLnAAAAIB4PmZfjdTtYwC7cE/upvfC/HWpKHHAn66YW6PRTCwZPqCd2AvHAMX/l7nb
k1u+BL0YtymawzNT97FcYuvM1UWrJ+fT8isTyHsoUkf76irVxcTBH0SReChHbYeWa2bATEvaj0u2597H4O7qYHJ6IZpTTAeWP0EeKDABfonAr+ZJw==",
}
exec { "first_login_password_ch":
    command => "/usr/bin/chage -d 0 apple1",
    path    => "/usr/bin/chage"
}
}
+++++++++++++++++++++++++++++

 

random password script:

 

#!/bin/bash
# random password generator by typedeaF
# Sets the maximum size of the password the script will generate
MAXSIZE=15
# I put escape chars on all the non alpha-numeric characters just for precaution
array1=(
q w e r t y u i o p a s d f g h j k l z x c v b n m Q W E R T Y U I O P A S D
F G H J K L Z X C V B N M 1 2 3 4 5 6 7 8 9 0 ! @ # $ % ^ & * ( )
)
# Used in conjunction with modulus to keep random numbers in range of the array size
MODNUM=${#array1[*]}
# Keeps track of the number characters in the password we have generated
pwd_len=0
while [ $pwd_len -lt $MAXSIZE ]
do
  x=$(($RANDOM%500))
  y=0
  while [ $y -lt $x ]
  do
    ((y++))
    index=$(($RANDOM%$MODNUM))
    echo -n "${array1[$index]}"
  done
  ((pwd_len++))
done
exit 0

 

I dont know how to integrate with puppet module ....... Your help is much appreciated....

 

 

Thanks & Regards,

 

Siva Kumar S.

[Dan White]

The package "expect" contains a script/binary called "mkpasswd" that I find very appropriate for making passwords.

Here's its man-page: http://linux.die.net/man/1/mkpasswd

[Krzysztof Wilczynski]

Hey,

There is also this:

https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rb

KW