Hi, I have a small problem, I am creating users with ssh keys and this is working fine, the only problem I have is because i dont set a password and only use sshkeys to login the account created is locked. Is there any way around this? thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Mar 03, 2011 at 09:09:59AM -0800, toneee wrote:> I have a small problem, I am creating users with ssh keys and this is > working fine, the only problem I have is because i dont set a password > and only use sshkeys to login the account created is locked. Is there > any way around this?What OS/distribution is this on. That combination should work fine. -- Ben Hughes || http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
toneeedavis@googlemail.com
2011-Mar-04 09:35 UTC
Re: [Puppet Users] Creating user accounts
On Fri, Mar 4, 2011 at 12:11 AM, Ben Hughes <ben@puppetlabs.com> wrote:> On Thu, Mar 03, 2011 at 09:09:59AM -0800, toneee wrote: > > > I have a small problem, I am creating users with ssh keys and this is > > working fine, the only problem I have is because i dont set a password > > and only use sshkeys to login the account created is locked. Is there > > any way around this? > > What OS/distribution is this on. That combination should work fine. >Hi Im running on centos 5.5, with the latest puppet from the epel repos. if i manually unlock the account i can login fine with ssh keys, so i was wondering if its to do with creating a user without a password?> > -- > Ben Hughes || http://www.puppetlabs.com/ > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mar 4, 3:35 am, toneeeda...@googlemail.com wrote:> On Fri, Mar 4, 2011 at 12:11 AM, Ben Hughes <b...@puppetlabs.com> wrote: > > On Thu, Mar 03, 2011 at 09:09:59AM -0800, toneee wrote: > > > > I have a small problem, I am creating users with ssh keys and this is > > > working fine, the only problem I have is because i dont set a password > > > and only use sshkeys to login the account created is locked. Is there > > > any way around this? > > > What OS/distribution is this on. That combination should work fine. > > Hi Im running on centos 5.5, with the latest puppet from the epel repos. if > i manually unlock the account i can login fine with ssh keys, so i was > wondering if its to do with creating a user without a password?No doubt it is. I wouldn''t fault any distribution for locking accounts w/o passwords by default. I''m curious: how do you prevent users from logging in using the standard mechanism? Or once they are logged in, how do you prevent them from using su to assume other password-less users'' identities? I don''t currently use the mechanism, but I didn''t think sshkey logins required the target user to be password-less. Am I mistaken? Otherwise, wouldn''t it be better to generate random passwords for your users? If they are intended to log in only via the ssh key mechanism, then you would not need to communicate those passwords. Alternatively, creating all accounts with some standard password or password pattern is no less secure than creating them without any password at all. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Mar 04, 2011 at 09:35:36AM +0000, toneeedavis@googlemail.com wrote:> Hi Im running on centos 5.5, with the latest puppet from the epel repos. if > i manually unlock the account i can login fine with ssh keys, so i was > wondering if its to do with creating a user without a password?Odd. I''m trying it here with the following: [root@centos:~]# cat /etc/redhat-release CentOS release 5.5 (Final) [root@centos:~]# cat user.pp user{ "daisy": ensure => present, shell => "/bin/bash", home => "/home/daisy", managehome => true, } ssh_authorized_key{ "daisyskey": ensure => present, type => "ssh-dss", key => "AAAbiglongkey", user => "daisy", } [root@centos:~]# puppet apply user.pp notice: /Stage[main]//User[daisy]/ensure: created notice: /Stage[main]//Ssh_authorized_key[daisyskey]/ensure: created notice: Finished catalog run in 0.38 seconds [root@centos:~]# grep daisy /etc/shadow daisy:!!:15023:0:99999:7::: So that user is locked, and they now have a key. Then, from my laptop: [ben@Paresthesia:~]% ssh -i /Users/ben/.ssh/biglongkey daisy@centos.local hostname \; id centos.localdomain uid=502(daisy) gid=502(daisy) groups=502(daisy) context=user_u:system_r:unconfined_t I''ve not [knowingly anyway] changed the PAM config on my centos machine and it seems to work just dandily. -- Ben Hughes || http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.