wernerbahlke
2012-Feb-08 19:30 UTC
[Puppet Users] Creating user with random password (only once)
Hi, I want to create a user with a random password. Is there a way to only execute the manifest once when the user does not exist but not once the user is created? I know how to create a random password and can use generate to execute this function (or make it a custom fact provided I get this fact executed). So far I call an add_user method define in a users module out of my base class. Here is the code: include users users::add_user { ''testuser'': name => ''testuser'', uid => ''777'', password => generate(''/usr/local/bin/new_hash''), shell => ''/bin/csh'', groups => ''testuser'', } But alas this will get executed every time the client runs since the password will have changed due to the new generate call. One work-around I could think of is to create the user on the client (FreeBSD) using an exec calling the makepassword and pw command. Then I could check for existance of the user in the masterpasswd file with an unless check. But I much prefer do this with Puppet natively. Any suggestions will be greatly appreciated. Werner -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jeff McCune
2012-Feb-08 19:58 UTC
Re: [Puppet Users] Creating user with random password (only once)
On Wed, Feb 8, 2012 at 11:30 AM, wernerbahlke <werner.bahlke@gmail.com>wrote:> Hi, > > I want to create a user with a random password. Is there a way to only > execute the manifest once when the user does not exist but not once > the user is created? >For situations like this I use the puppet generate() function to create the random password and store it in a persistent data store on the master. e.g. an SQLITE database or something. This way, the password is generated randomly if it does not exist and the same password is used if it does already exist. It''s important to have the resource always be managed, that way if the password is changed on the managed node Puppet will realize this, change it to the value you''re managing, and report that it did so. -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nan Liu
2012-Feb-08 20:00 UTC
Re: [Puppet Users] Creating user with random password (only once)
On Wed, Feb 8, 2012 at 11:30 AM, wernerbahlke <werner.bahlke@gmail.com> wrote:> Hi, > > I want to create a user with a random password. Is there a way to only > execute the manifest once when the user does not exist but not once > the user is created? > > I know how to create a random password and can use generate to execute > this function (or make it a custom fact provided I get this fact > executed). > > So far I call an add_user method define in a users module out of my > base class. Here is the code: > > include users > > users::add_user { ''testuser'': > name => ''testuser'', > uid => ''777'', > password => generate(''/usr/local/bin/new_hash''), > shell => ''/bin/csh'', > groups => ''testuser'', > } > > But alas this will get executed every time the client runs since the > password will have changed due to the new generate call. > > One work-around I could think of is to create the user on the client > (FreeBSD) using an exec calling the makepassword and pw command. > > Then I could check for existance of the user in the masterpasswd file > with an unless check. > > But I much prefer do this with Puppet natively. > > Any suggestions will be greatly appreciated.I was testing Steve Shipway''s secret server module, there''s a fact that returns all the user password age to determine whether or not to update the user password in secret server. You can see if something similar would be useful: https://github.com/nanliu/puppet-ss/blob/tb/hiera/lib/facter/ss_passwd_age.rb Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan White
2012-Feb-08 20:00 UTC
Re: [Puppet Users] Creating user with random password (only once)
In one user management setup, I use htpasswd to create a random password just to secure the account. Like this: htpasswd -nmb whoever `mkpasswd` | cut -d: -f2 | passwd --stdin <username> Then, with over-the-shoulder admin access, the user can set their own password. “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) ----- wernerbahlke <werner.bahlke@gmail.com> wrote:> Hi, > > I want to create a user with a random password. Is there a way to only > execute the manifest once when the user does not exist but not once > the user is created? > > I know how to create a random password and can use generate to execute > this function (or make it a custom fact provided I get this fact > executed). > > So far I call an add_user method define in a users module out of my > base class. Here is the code: > > include users > > users::add_user { ''testuser'': > name => ''testuser'', > uid => ''777'', > password => generate(''/usr/local/bin/new_hash''), > shell => ''/bin/csh'', > groups => ''testuser'', > } > > But alas this will get executed every time the client runs since the > password will have changed due to the new generate call. > > One work-around I could think of is to create the user on the client > (FreeBSD) using an exec calling the makepassword and pw command. > > Then I could check for existance of the user in the masterpasswd file > with an unless check. > > But I much prefer do this with Puppet natively. > > Any suggestions will be greatly appreciated. > > Werner > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
mukulm
2012-Feb-09 13:43 UTC
[Puppet Users] Re: Creating user with random password (only once)
Also how can I use owner be set other than root as, owner => ? ( want to set user as $USER ) group => ? ( want to set group as GROUP ) ensure => present, Thanks Mukulm On Feb 9, 12:30 am, wernerbahlke <werner.bah...@gmail.com> wrote:> Hi, > > I want to create a user with a random password. Is there a way to only > execute the manifest once when the user does not exist but not once > the user is created? > > I know how to create a random password and can use generate to execute > this function (or make it a custom fact provided I get this fact > executed). > > So far I call an add_user method define in a users module out of my > base class. Here is the code: > > include users > > users::add_user { ''testuser'': > name => ''testuser'', > uid => ''777'', > password => generate(''/usr/local/bin/new_hash''), > shell => ''/bin/csh'', > groups => ''testuser'', > } > > But alas this will get executed every time the client runs since the > password will have changed due to the new generate call. > > One work-around I could think of is to create the user on the client > (FreeBSD) using an exec calling the makepassword and pw command. > > Then I could check for existance of the user in the masterpasswd file > with an unless check. > > But I much prefer do this with Puppet natively. > > Any suggestions will be greatly appreciated. > > Werner-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
siva kumar
2012-Oct-30 12:28 UTC
[Puppet Users] Re: Creating user with random password (only once)
Dear Werner, Good Morning ! I am also working with User Module in puppet (New to the puppet) ... But i am not getting how /where to implement randome password generation. Below is my Module: /etc/puppetlabs/puppet/modules/user/manifests/user.pp : #cat user.pp define add_user ( $name, $uid, $groups, $shell, $password, $sshkeytype, $sshkey,$password_max_age, $password_min_age ) { $username = $title user { $username: comment => "$name", home => "/home/$username", shell => "/bin/bash", uid => $uid, password_max_age => "$password_max_age", password_min_age => "$password_min_age" } group { $username: gid => $uid, require => user[$username] } file { "/home/$username/": ensure => directory, owner => $username, group => $username, mode => 750, require => [ user[$username], group[$username] ] } file { "/home/$username/.ssh": ensure => directory, owner => $username, group => $username, mode => 700, require => file["/home/$username/"] } file { "/home/$username/.ssh/authorized_keys": ensure => present, owner => $username, group => $username, mode => 600, require => file["/home/$username/"] } ssh_authorized_key{ $username: user => "$username", ensure => present, type => "$sshkeytype", key => "$sshkey", name => "$username" } } ++++++++++++++++++++++++++++++++++++++++++++++++++++ /etc/puppetlabs/puppet/manifests/nodes.pp node ''alvtutl032.wm.com'' { user { installer: ensure => "absent" } add_user { apple1: name => "WM_admin_user", uid => "3334", password_min_age => ''2'', password_max_age => ''80000'', password =>''$1$7NwLmsAf$25L8RI8v5gbirkPKLSulE/'', shell => "/bin/bash", groups => [''apple1''], type => "ssh-dss", sshkey => "AAAAB3NzaC1kc3MAAACBAJzMVL4afDQBJ3rcM9LlHqxg0rmkWDwoWehS4nIpBLJL9qGoyR1YBzPvpD1VufsUqgUXH9dYdfaiVum4IaTgyu2Tb0ezR4Nx2Jkcnp+8jFh/Cys3zgMvzJaIw/Au45E 9h4vBdwvouj1Sg0YaY5mGuKZ2w121uPLawjc3DJsNSc+jAAAAFQCb7+Vtir8w+o/CIDiSPXr6MVj16QAAAIBFHMnBixvQaxekLK70eR9TgYUAXsh0MHT8VT+XMUWlOC8u8yVEOTDzrU1ZL2vNWo4NZL6ex9ffx 0JRS5hSCU/o8aVcoC4viCC7SGmntNb0nQo+iKUyTQbGcmMoPG9lO498prML66GbOYWzTedc4XT683kyWV4k0iVixyvLsfLnAAAAIB4PmZfjdTtYwC7cE/upvfC/HWpKHHAn66YW6PRTCwZPqCd2AvHAMX/l7nb k1u+BL0YtymawzNT97FcYuvM1UWrJ+fT8isTyHsoUkf76irVxcTBH0SReChHbYeWa2bATEvaj0u2597H4O7qYHJ6IZpTTAeWP0EeKDABfonAr+ZJw==", } exec { "first_login_password_ch": command => "/usr/bin/chage -d 0 apple1", path => "/usr/bin/chage" } } +++++++++++++++++++++++++++++ random password script: #!/bin/bash # random password generator by typedeaF # Sets the maximum size of the password the script will generate MAXSIZE=15 # I put escape chars on all the non alpha-numeric characters just for precaution array1=( q w e r t y u i o p a s d f g h j k l z x c v b n m Q W E R T Y U I O P A S D F G H J K L Z X C V B N M 1 2 3 4 5 6 7 8 9 0 ! @ # $ % ^ & * ( ) ) # Used in conjunction with modulus to keep random numbers in range of the array size MODNUM=${#array1[*]} # Keeps track of the number characters in the password we have generated pwd_len=0 while [ $pwd_len -lt $MAXSIZE ] do x=$(($RANDOM%500)) y=0 while [ $y -lt $x ] do ((y++)) index=$(($RANDOM%$MODNUM)) echo -n "${array1[$index]}" done ((pwd_len++)) done exit 0 I dont know how to integrate with puppet module ....... Your help is much appreciated.... Thanks & Regards, Siva Kumar S. On Wednesday, February 8, 2012 1:30:09 PM UTC-6, wernerbahlke wrote:> Hi, > > I want to create a user with a random password. Is there a way to only > execute the manifest once when the user does not exist but not once > the user is created? > > I know how to create a random password and can use generate to execute > this function (or make it a custom fact provided I get this fact > executed). > > So far I call an add_user method define in a users module out of my > base class. Here is the code: > > include users > > users::add_user { ''testuser'': > name => ''testuser'', > uid => ''777'', > password => generate(''/usr/local/bin/new_hash''), > shell => ''/bin/csh'', > groups => ''testuser'', > } > > But alas this will get executed every time the client runs since the > password will have changed due to the new generate call. > > One work-around I could think of is to create the user on the client > (FreeBSD) using an exec calling the makepassword and pw command. > > Then I could check for existance of the user in the masterpasswd file > with an unless check. > > But I much prefer do this with Puppet natively. > > Any suggestions will be greatly appreciated. > > Werner-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/FV4NZWaiBlYJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan White
2012-Oct-30 13:39 UTC
Re: [Puppet Users] Creating user with random password (only once)
The package "expect" contains a script/binary called "mkpasswd" that I find very appropriate for making passwords. Here''s its man-page: http://linux.die.net/man/1/mkpasswd -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Krzysztof Wilczynski
2012-Oct-30 20:40 UTC
Re: [Puppet Users] Creating user with random password (only once)
Hey, There is also this: https://github.com/kwilczynski/puppet-functions/blob/master/lib/puppet/parser/functions/random_password.rb KW On Tuesday, October 30, 2012 1:39:35 PM UTC, Ygor wrote:> > The package "expect" contains a script/binary called "mkpasswd" that I > find very appropriate for making passwords. > > Here''s its man-page: http://linux.die.net/man/1/mkpasswd-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/rL3ZUwnQpYUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.