Re: [Puppet Users] Using puppet to change passwords on nix systems

[Peter Brown]

Hi.

I have stopped using puppet to manage users. (I now use FreeIPA for authentication and authorization)

I used to use the password field in the user resource to do this It needs an encrypted password though.

It worked fine for what I needed at the time.

So if you can get the password from the shadow file on one server you can use that to set the passwords on all your other servers.

It should be pretty easy to use Heira to store them.

On 30 November 2012 15:14, illectronic <theo...@gmail.com> wrote:

Hi, I am new to this and I discovered a manifest in an old post that should change passwords. It runs fine, but the password does not change. I am wondering how this would work since it would need to change the shadow.

Thanks

define change_passwd($user,$passwd) {

    exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password

=> \"${passwd}\" }\'":

            onlyif     => "/bin/grep -c ^${user}: /etc/shadow"

    }

}

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/TZ868p26GtAJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[jcbollinger]

On Thursday, November 29, 2012 11:14:57 PM UTC-6, O wrote:

Hi, I am new to this and I discovered a manifest in an old post that should change passwords. It runs fine, but the password does not change. I am wondering how this would work since it would need to change the shadow.

The Puppet agent needs to run as a privileged user (typically root) in order to do a lot of the things it does, including managing system users.  Yes, on systems that use shadow passwords, Puppet needs to modify /etc/shadow to manage passwords.  So?

As to the details, the Puppet agent adapts to the system on which it is running, and uses the appropriate system tools for most of the tasks it wants to perform.  For example, to manage users on RedHat-family systems it uses useradd, userdel, usermod, and/or chage, as appropriate.

For users in particular there is a wide variety of management toolsets in use on different OS flavors.  Not all of them provide the same features, and in particular, not all of them support managing user passwords.  Therefore, whether Puppet can manage passwords on a particular client depends on the client.

Most of this is documented in the Puppet type reference: http://docs.puppetlabs.com/references/3.0.latest/type.html#user.

 

Thanks

define change_passwd($user,$passwd) {

    exec { "/usr/bin/puppet apply -v -e \'user { \"${user}\": password

=> \"${passwd}\" }\'":

            onlyif     => "/bin/grep -c ^${user}: /etc/shadow"

    }

}

That's awfully convoluted.  Why are you using in Exec to run "puppet apply" from within a Puppet run, instead of just declaring the wanted resource directly?  That's not to say that the code is wrong or inappropriate.  I think I can infer the purpose, but if you don't understand what it declares and why, then you cannot be sure whether it is appropriate or not.  And that's before we even get to the structure of the wrapper definition.

Pete is right that the User type's 'password' parameter requires a hash instead of a plaintext password.  Except for Windows clients.  And be aware that it requires the hash to be the correct type for the target system, which may be SHA1, SHA512, MD5, or possibly even something else.  If your machines are homogeneous then that's not too big a problem, but if not then you may have a trickier problem.


John

[O]

You are right. I found a simpler way of doing it using puppet's built in "user" reference with shadow-lib installed. The only thing is, puppet doesn't seem to be able to create an md5 hash for you so you need to create a test user with the same password and use that value for password => 'hashgoeshere'

[Brian Jolly]

I've been using the openssl command line tool to generate the hash for my puppet users:

openssl passwd -1

It's still a manual process to get the hash, but works pretty good for a small number of users.

[Phips]

On Friday, November 30, 2012 4:40:34 PM UTC, O wrote:

You are right. I found a simpler way of doing it using puppet's built in "user" reference with shadow-lib installed. The only thing is, puppet doesn't seem to be able to create an md5 hash for you so you need to create a test user with the same password and use that value for password => 'hashgoeshere'

Use 'grub-md5-crypt' from a Linux box. Simples. 

[jcbollinger]

As long as you need MD5 hashes, and your system has that program, then that's great.  I repeat, however, that it is essential to create the correct type of hash for your target systems.  MD5 used to be near-universal for Linux, but newer releases tend to prefer other hashes, and other types of machines may have even more differing requirements.


John