Hi guys, Just started to look at Puppet. Is there a way I can have a user log into a Puppet Server box, and change their own password? Wondered if there was a script out there already that monitored for changes to the /etc/passwd and /etc/shadow entry for the user and extract the string to populate it to all Puppet clients. We plan to implement LDAP but that''s a little way off, I just need an easy way in the meantime to keep my clients up to date with local accounts. Thanks Mark -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/XIGHmKIxXT4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Jun 21, 2012 at 02:29:50AM -0700, Marshie8 wrote:> Hi guys, > > Just started to look at Puppet. > > Is there a way I can have a user log into a Puppet Server box, and change > their own password? Wondered if there was a script out there already that > monitored for changes to the /etc/passwd and /etc/shadow entry for the user > and extract the string to populate it to all Puppet clients. > > We plan to implement LDAP but that''s a little way off, I just need an easy > way in the meantime to keep my clients up to date with local accounts. > > Thanks > > MarkThis could be done by having a custom fact that exports the value of the hash back to the master, but this would be best only running on one single box, which would be the ''password changing box''. IMO, passing hashes around like this would not be a great idea from a security perspective, nor particularly scalable. Something along the lines of https://github.com/crayfishx/hiera-gpg and a script to make usage of GPG''s multi-key encryption may be better - where the YAML file for a user definition that contains the hash is encrypted both with both hiera''s key and the users GPG key, thus allowing for users to set their password, and for hiera to decrypt the hash, but you may find that your time is better spent getting LDAP up and running.. Dependent on how your infrastructure is setup, and where/how you''re actually using passwords, it may be better to make use of SSH keys (which puppet can manage) and set local user accounts on servers to random, unknown passwords that are never actually used. See http://docs.puppetlabs.com/references/2.7.0/type.html#user for more infos on the user type. Cheers, -- Richard Clark richard@fohnet.co.uk -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thursday, June 21, 2012 4:29:50 AM UTC-5, Marshie8 wrote:> > > Hi guys, > > Just started to look at Puppet. > > Is there a way I can have a user log into a Puppet Server box, and change > their own password? Wondered if there was a script out there already that > monitored for changes to the /etc/passwd and /etc/shadow entry for the user > and extract the string to populate it to all Puppet clients. >If the machines of interest are all similar, and if users are going to be able to log in to the machine running the puppetmaster process, then it shouldn''t be too hard to persuade Puppet to synchronize the master''s account database (e.g. files /etc/passwd and /etc/shadow) with clients. Note, however, that doing so may require giving the puppetmaster process read access to files that ordinarily would be inaccessible to it, such as /etc/shadow. Also, I wouldn''t consider it a good idea to allow user logins on the puppetmaster machine, much less to build a solution based on *all*users being able to log in to it. As an alternative, and supposing you don''t have to worry about Windows clients, you could consider deploying NIS. It''s pretty easy to set up, and I don''t know any Unix without at least some support, including OS X. NIS has server-side support for processing password changes, too, and at least Solaris and some Linux distros (such as RedHat / Fedora) have the client-side pieces needed for that as well. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/0qsh1-CJXpUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.