user resource, get password from command on master
54 views
Skip to first unread message
Andrei-Florian Staicu
Dec 10, 2012, 3:22:22 AM12/10/12
to puppet...@googlegroups.com
Hi all,
I started managing users with puppet (3). Right now it works ok, but I have to change the hash manually in the manifest files. I would like users to login to the puppet master and change the password for themselves. Could I do something like this?
password => `grep $user /etc/shadow | awk -F ':' '{print $2}',
Thanks.
Martin Alfke
Dec 10, 2012, 3:28:08 AM12/10/12
to puppet...@googlegroups.com
Hi Andrei,
You want to make use of a function:
http://docs.puppetlabs.com/references/latest/function.html
Functions get executed on the master.
hth,
Martin
http://docs.puppetlabs.com/references/latest/function.html
Functions get executed on the master.
hth,
Martin
Andrei-Florian Staicu
Dec 10, 2012, 3:49:10 AM12/10/12
to puppet...@googlegroups.com
Hi Martin, and thanks for the quick answer.
Do you happen to know with what user do the scripts get executed on the master? I it's not root, i might have to stick some sudos in there.
Thanks.
Beware of programmers who carry screwdrivers!
Martin Alfke
Dec 10, 2012, 5:47:41 AM12/10/12
to puppet...@googlegroups.com
As far as I know, functions are run as user "puppet".
(Please verify your puppet.conf and look which user is used. Normally this is "puppet" or "pe-puppet" (on enterprise version)
--Thanks.
Beware of programmers who carry screwdrivers!
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
Dec 10, 2012, 10:47:36 AM12/10/12
to puppet...@googlegroups.com
On Monday, December 10, 2012 2:49:10 AM UTC-6, SAF wrote:
Do you happen to know with what user do the scripts get executed on the master? I it's not root, i might have to stick some sudos in there.
Functions are evaluated as a normal part of the puppet master's execution, thus they run as whatever user the master runs as. In most setups that is a non-privileged user, without access to the contents of /etc/shadow.
You should think long and hard before granting the master elevated privileges. I would not do it myself. In fact, I would recommend against your whole concept for password management. It requires you to weaken your security not only by granting extra privileges to the master, but also -- much worse -- by granting your users login privileges on the puppet master server.
Furthermore, password updates under your scheme would not be synchronous or even coordinated across hosts. For each other system he wants to log in to, the user would have to wait some unknown time for that system to perform a successful Puppet run before his password changes there, and there will be a period during which his password is different on some nodes than on others.
There are good, industry-standard approaches to centralized password management. You should really choose among those instead of rolling your own. One of the best-regarded is LDAP, and you could also consider NIS (just to name two). The former is more secure, but the latter is very easy to set up.
John
Jakov Sosic
Dec 11, 2012, 8:58:54 PM12/11/12
to puppet...@googlegroups.com
On 12/10/2012 04:47 PM, jcbollinger wrote:
> There are good, industry-standard approaches to centralized password
> management. You should really choose among those instead of rolling
> your own. One of the best-regarded is LDAP, and you could also consider
> NIS (just to name two). The former is more secure, but the latter is
> very easy to set up.
Judging that the current solution stores passwords in /etc/shadow, I
> There are good, industry-standard approaches to centralized password
> management. You should really choose among those instead of rolling
> your own. One of the best-regarded is LDAP, and you could also consider
> NIS (just to name two). The former is more secure, but the latter is
> very easy to set up.
assume that these passwords are for ssh only, and if that's the case the
easiest and most secure way would be to enforce ssh key logins, and
distribute keys instead of passwords. Public keys could be updated
without granting access to puppet master.
If that's not the case, then LDAP is a way to go.
--
Jakov Sosic
www.srce.unizg.hr
Peter Brown
Dec 13, 2012, 1:47:24 AM12/13/12
to puppet-users
I was managing my users with puppet but I decided it wasn't the best way to do it. I recently setup a FreeIPA server to use for authentication and authorization.
It can also be used to auth ssh logins with keys.
I need to write some modules to manage setting it up on a node with puppet but it's looking like the best option for what I need.
It's seems to have similar functionality too Active Directory and can even sync with it.
--
Jakov Sosic
www.srce.unizg.hr
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages