Puppet users - Nov 2013 - set password to never expire for a user

Hi,

What is the Puppet directive to ensure a password never expires?

Stuart

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/2b72a6fe-fe9b-44fc-9067-f5daef80546e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Mon, Nov 25, 2013 at 11:25 AM, Stuart Cracraft <smcracraft@gmail.com>
wrote:
> What is the Puppet directive to ensure a password never expires?

Hi Stuart,

A password property like that is usually operating system specific,
and as such, you''re looking for documentation about whether your
operating system''s password provider supports it:

http://docs.puppetlabs.com/references/latest/type.html#user

Cheers

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAEUKkZ9JyF59ngmRSdBm1g5zzP5q8nTtE%2B94QzzozyrA0y7faw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

I used:

  user { "someuser":
      :
      password_max_age => ''200000'',
      :
  }

puppet describe user 

shows password_max_age can be set to a big number which represents days to 
expiration
for the given user.

Unfortunately, it doesn''t also say something like "infinite"
for forever...

Stuart

On Monday, November 25, 2013 9:25:47 AM UTC-8, Stuart Cracraft wrote:
> Hi,
>
> What is the Puppet directive to ensure a password never expires?
>
> Stuart
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/6e9dc609-5891-4aa2-8d22-57ec70f68485%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On 25 November 2013 21:58, Stuart Cracraft <smcracraft@gmail.com> wrote:
>
> puppet describe user
>
> shows password_max_age can be set to a big number which represents days to
> expiration
> for the given user.
>
> Unfortunately, it doesn''t also say something like
"infinite" for forever...
>
chage(1) says:

  "Passing the number -1 as the EXPIRE_DATE will remove an account
expiration"

So, you could try passing ''-1'' to password_max_age and see if
that works.

Kind Regards,

Matt.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAKUTv3%2BEjQ9PMt2Fk-R88rn-e9zbA0RMq%3DC3Xue5hUSOPv8thA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Notes with ++ inlined.

On Monday, November 25, 2013 2:58:41 PM UTC-8, Matthew Burgess
wrote:
>
> On 25 November 2013 21:58, Stuart Cracraft
<smcra...@gmail.com<javascript:>
> > wrote:
>
>>
>> puppet describe user 
>>
>> shows password_max_age can be set to a big number which represents days
>> to expiration
>> for the given user.
>>
>> Unfortunately, it doesn''t also say something like
"infinite" for
>> forever...
>>
>
> chage(1) says:
>
>   "Passing the number -1 as the EXPIRE_DATE will remove an account 
> expiration"
>
> So, you could try passing ''-1'' to password_max_age and
see if that works.
>
>
++ I doubt that either of us has the time to test infinity.
 
> Kind Regards,
>
> Matt.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/558d522a-f815-4345-9c84-3a43a7471a6c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On 25 November 2013 23:00, Stuart Cracraft <smcracraft@gmail.com> wrote:
> Notes with ++ inlined.
>
> On Monday, November 25, 2013 2:58:41 PM UTC-8, Matthew Burgess wrote:
>
>> On 25 November 2013 21:58, Stuart Cracraft <smcra...@gmail.com>
wrote:
>>
>>>
>>> puppet describe user
>>>
>>> shows password_max_age can be set to a big number which represents
days
>>> to expiration
>>> for the given user.
>>>
>>> Unfortunately, it doesn''t also say something like
"infinite" for
>>> forever...
>>>
>>
>> chage(1) says:
>>
>>   "Passing the number -1 as the EXPIRE_DATE will remove an account
>> expiration"
>>
>> So, you could try passing ''-1'' to password_max_age
and see if that works.
>>
>>
> ++ I doubt that either of us has the time to test infinity.
>
LOL - yeah, ''chage -l'' might be a bit quicker :)

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAKUTv3Kb%3DJuNt8D%3DBaxM7XP_oy%3DWwnb%2BRxma7i35mWzTt9x8KQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

I have direction to use puppet 
rather than the OS and exec...
> On Nov 25, 2013, at 3:03 PM, Matthew Burgess
<matthew.2.burgess@gmail.com> wrote:
> 
>> On 25 November 2013 23:00, Stuart Cracraft <smcracraft@gmail.com>
wrote:
>> Notes with ++ inlined.
>> 
>>> On Monday, November 25, 2013 2:58:41 PM UTC-8, Matthew Burgess
wrote:
>>>> On 25 November 2013 21:58, Stuart Cracraft
<smcra...@gmail.com> wrote:
>>>> 
>>>> puppet describe user
>>>> 
>>>> shows password_max_age can be set to a big number which
represents days to expiration
>>>> for the given user.
>>>> 
>>>> Unfortunately, it doesn''t also say something like
"infinite" for forever...
>>> 
>>> chage(1) says:
>>> 
>>>   "Passing the number -1 as the EXPIRE_DATE will remove an
account expiration"
>>> 
>>> So, you could try passing ''-1'' to
password_max_age and see if that works.
>> 
>> ++ I doubt that either of us has the time to test infinity.
> 
> LOL - yeah, ''chage -l'' might be a bit quicker :)
> -- 
> You received this message because you are subscribed to a topic in the
Google Groups "Puppet Users" group.
> To unsubscribe from this topic, visit
https://groups.google.com/d/topic/puppet-users/RlAPEiRypME/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
puppet-users+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAKUTv3Kb%3DJuNt8D%3DBaxM7XP_oy%3DWwnb%2BRxma7i35mWzTt9x8KQ%40mail.gmail.com.
> For more options, visit https://groups.google.com/groups/opt_out.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/197692D7-8C89-4C70-8300-7D6FD51ACDAC%40me.com.
For more options, visit https://groups.google.com/groups/opt_out.

On 25 November 2013 23:11, Stuart Cracraft <smcracraft@me.com> wrote:
> I have direction to use puppet
> rather than the OS and exec...
>
Not quite sure I understand. Are you saying that you can write puppet
manifests to make all kinds of changes but you''re not allowed to run
''chage
-l <user>'' to *report* what the state of a user is?  If so, that
sounds
very odd indeed. Even if that were the case, surely you have a dev system
somewhere you could apply your manifest on, then run said command to check
it did what you expected?

Regards,

Matt.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAKUTv3LoTahN-OzXXbHDWGo1oBSfXN1KZ4Te5eASW%2BWmWuT_Qw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

Notes with ++ inlined.

On Monday, November 25, 2013 3:17:40 PM UTC-8, Matthew Burgess
wrote:
>
> On 25 November 2013 23:11, Stuart Cracraft <smcra...@me.com
<javascript:>>wrote:
>
>> I have direction to use puppet 
>> rather than the OS and exec...
>>
>
> Not quite sure I understand. Are you saying that you can write puppet 
> manifests to make all kinds of changes but you''re not allowed to
run ''chage
> -l <user>'' to *report* what the state of a user is?  If so,
that sounds
> very odd indeed. Even if that were the case, surely you have a dev system 
> somewhere you could apply your manifest on, then run said command to check 
> it did what you expected?
>
>
++ It is a simple puppet purist preference. I seek less reports and more 
automation. :-)
 
> Regards,
>
> Matt.
>  
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/cd711a99-8698-45ab-ab3c-61e9a9e7b9e4%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

On Monday, November 25, 2013 5:11:13 PM UTC-6, Stuart Cracraft
wrote:
>
> I have direction to use puppet 
> rather than the OS and exec...
>
>
Possibly you are looking for the ''expiry'' User property: 
http://docs.puppetlabs.com/references/3.stable/type.html#user-attribute-expiry

user { ''alice'':
  # ...
  expiry => ''absent''
} 

It''s a bit unclear to me, though, whether there is a distinction
between
the user''s password expiring and the user itself expiring.  Probably
what
you get with that is ''chage -E'' or an appropriate local
analog.

Alternatively, you may be looking for the ''max_password_age''
User property:
http://docs.puppetlabs.com/references/3.stable/type.html#user-attribute-password_max_age.
Inasmuch as that looks to be designed to be backed by ''chage
-M'' or a local
equivalent, this may do what you want:

user { ''bob'':
  # ...
  max_password_age => -1
}


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/e84577ab-5191-46a3-b4a3-badc68006bdc%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

password_max_age is less destructive. I chose it.

On Tuesday, November 26, 2013 6:23:19 AM UTC-8, jcbollinger wrote:
>
>
> On Monday, November 25, 2013 5:11:13 PM UTC-6, Stuart Cracraft wrote:
>>
>> I have direction to use puppet 
>> rather than the OS and exec...
>>
>>
>
> Possibly you are looking for the ''expiry'' User property: 
>
http://docs.puppetlabs.com/references/3.stable/type.html#user-attribute-expiry<http://www.google.com/url?q=http%3A%2F%2Fdocs.puppetlabs.com%2Freferences%2F3.stable%2Ftype.html%23user-attribute-expiry&sa=D&sntz=1&usg=AFQjCNF_uxc-j6fF7qGzS0S5eJnAEt3rUw>
>
> user { ''alice'':
>   # ...
>   expiry => ''absent''
> } 
>
> It''s a bit unclear to me, though, whether there is a distinction
between
> the user''s password expiring and the user itself expiring. 
Probably what
> you get with that is ''chage -E'' or an appropriate local
analog.
>
> Alternatively, you may be looking for the
''max_password_age'' User
> property: 
>
http://docs.puppetlabs.com/references/3.stable/type.html#user-attribute-password_max_age<http://www.google.com/url?q=http%3A%2F%2Fdocs.puppetlabs.com%2Freferences%2F3.stable%2Ftype.html%23user-attribute-password_max_age&sa=D&sntz=1&usg=AFQjCNEuysglo362cbk328OiqoUVUpMsJw>.
> Inasmuch as that looks to be designed to be backed by ''chage
-M'' or a local
> equivalent, this may do what you want:
>
> user { ''bob'':
>   # ...
>   max_password_age => -1
> }
>
>
> John
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/d5623077-ae18-43dd-a536-7cd0d3053436%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.