Hi, I would find it very useful if puppet were able to replicate passwords for specified users from a master PC (the puppetmaster would do me fine, though I suspect this may not suit everyone). That would make changing passwords on my small Linux network a little easier. cheers John Dubery
On Jan 1, 2007, at 11:39 AM, John Dubery wrote:> Hi, > > I would find it very useful if puppet were able to replicate > passwords for > specified users from a master PC (the puppetmaster would do me > fine, though > I suspect this may not suit everyone). > > That would make changing passwords on my small Linux network a > little easier.If that''s not already an enhancement request, then please open it as one, but it''s actually surprisingly complicated for many cases because many platforms do not provide the ability to set the password using any commands -- instead you have to edit /etc/passwd directly. It''s not something I''m likely to implement in the near future, although as always patches are always welcomed (and, of course, I''m always looking for custom development work). -- Today I dialed a wrong number...The other person said, "Hello?" and I said, "Hello, could I speak to Joey?"... They said, "Uh...I don''t think so...he''s only 2 months old." I said, "I''ll wait." -- Steven Wright --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On 2 Jan 2007, at 06:28, Luke Kanies wrote:> If that''s not already an enhancement request, then please open it as > one, but it''s actually surprisingly complicated for many cases > because many platforms do not provide the ability to set the password > using any commands -- instead you have to edit /etc/passwd directly. >It might be somewhat easier to implement, and more secure, if the puppetmaster held and distributed the password hashes, not the passwords. Not all platforms support all hashes, but most do MD5 these days AFAIK (and case $operatingsystem could be used to handle those that don’t). This approach might mean puppet ends up editing the shadow file directly — which is potentially dangerous. Gary PS Puppet makes an LDAP roll out much easier, which is a much better solution for user passwords. -- gary.law@gmail.com _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Jan 3, 2007, at 5:50 AM, Gary Law wrote:> > It might be somewhat easier to implement, and more secure, if the > puppetmaster held and distributed the password hashes, not the > passwords. Not all platforms support all hashes, but most do MD5 > these days AFAIK (and case $operatingsystem could be used to handle > those that don’t). This approach might mean puppet ends up editing > the shadow file directly — which is potentially dangerous.Yeah, I don''t think I would ever want to implement the ability to directly manage passwords; managing hashes is the only reasonable choice, I think. My concern is more about how to get the hashes into the right place. Linux seems to support setting the hashes using usermod, but I don''t think many of the commercial Unixes do, and I''ve no idea about the BSDs.> Gary > > PS Puppet makes an LDAP roll out much easier, which is a much > better solution for user passwords.Exactly. LDAP is the solution, and hacking around it with Puppet isn''t a very good idea. Puppet''s great for system users, which need to be local, but for normal users... You should really be using central user management. -- If computers get too powerful, we can organize them into a committee -- that will do them in. -- Bradley''s Bromide --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
Luke Kanies wrote:>>Gary >> >>PS Puppet makes an LDAP roll out much easier, which is a much >>better solution for user passwords. >> >> > >Exactly. LDAP is the solution, and hacking around it with Puppet >isn''t a very good idea. Puppet''s great for system users, which need >to be local, but for normal users... You should really be using >central user management. > > >I have the dream that I can manage our laptop systems with puppet; these would need local password entries for certain users (the "owner") ... even if we normally used LDAP while connected to the LAN.
On Jan 3, 2007, at 3:39 PM, Jim Rowan wrote:> Luke Kanies wrote: > >>> Gary >>> >>> PS Puppet makes an LDAP roll out much easier, which is a much >>> better solution for user passwords. >>> >>> >> >> Exactly. LDAP is the solution, and hacking around it with Puppet >> isn''t a very good idea. Puppet''s great for system users, which need >> to be local, but for normal users... You should really be using >> central user management. >> >> >> > > I have the dream that I can manage our laptop systems with puppet; > these > would need local password entries for certain users (the "owner") ... > even if we normally used LDAP while connected to the LAN.We''ve had to stop using LDAP on our systems because of the cases when the load gets too high, or myriad other network issues, logging in via LDAP was impossible or extremely slow. We would definitely like a way to manage passwords on all our systems and it doesn''t seem unreasonable that it would work for some operating systems at first and not others, it''s just another type, with providers that people can easily write and contribute right? -Blake
On Jan 3, 2007, at 8:21 PM, Blake Barnett wrote:> > > We''ve had to stop using LDAP on our systems because of the cases when > the load gets too high, or myriad other network issues, logging in > via LDAP was impossible or extremely slow. We would definitely like > a way to manage passwords on all our systems and it doesn''t seem > unreasonable that it would work for some operating systems at first > and not others, it''s just another type, with providers that people > can easily write and contribute right?Yeah. It''s true that the relatively new provider mechanisms make this solution much easier. Please let me know when you''re done. :) -- Life isn''t fair. It''s just fairer than death, that''s all. -- William Goldman --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Jan 3, 2007, at 5:39 PM, Jim Rowan wrote:> I have the dream that I can manage our laptop systems with puppet; > these > would need local password entries for certain users (the "owner") ... > even if we normally used LDAP while connected to the LAN.For the record, many operating systems can do credential caching, so you can still use LDAP auth while disconnected. I do understand your plight, although I''m not sure Puppet will ever be a very good solution for user management, because users will expect to be able to change their passwords on their local machines but instead those changes will get overwritten right away. -- What happens to the hole when the cheese is gone? -- Bertolt Brecht --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
Luke is absolutely correct. In the case of Linux, check out the Name Service Cache Daemon (ncsd). This should allow your laptop users to cache their credentials indefinitely. Trevor On 1/3/07, Luke Kanies <luke@madstop.com> wrote:> > On Jan 3, 2007, at 5:39 PM, Jim Rowan wrote: > > I have the dream that I can manage our laptop systems with puppet; > > these > > would need local password entries for certain users (the "owner") ... > > even if we normally used LDAP while connected to the LAN. > > For the record, many operating systems can do credential caching, so > you can still use LDAP auth while disconnected. > > I do understand your plight, although I''m not sure Puppet will ever > be a very good solution for user management, because users will > expect to be able to change their passwords on their local machines > but instead those changes will get overwritten right away. > > -- > What happens to the hole when the cheese is gone? -- Bertolt Brecht > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >_______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Just for giggles, I''ll correct myself and point out that nscd (correction #1) allows for caching of already retrieved credentials. For correction #2, nscd does not allow offline authentication but pam_ccreds does (http://www.padl.com/OSS/pam_ccreds.html). That''s what I get for posting too early in the morning. Trevor On 1/5/07, Trevor Vaughan <peiriannydd@gmail.com> wrote:> > Luke is absolutely correct. In the case of Linux, check out the Name > Service Cache Daemon (ncsd). > > This should allow your laptop users to cache their credentials > indefinitely. > > Trevor > > On 1/3/07, Luke Kanies <luke@madstop.com> wrote: > > > > On Jan 3, 2007, at 5:39 PM, Jim Rowan wrote: > > > I have the dream that I can manage our laptop systems with puppet; > > > these > > > would need local password entries for certain users (the "owner") ... > > > even if we normally used LDAP while connected to the LAN. > > > > For the record, many operating systems can do credential caching, so > > you can still use LDAP auth while disconnected. > > > > I do understand your plight, although I''m not sure Puppet will ever > > be a very good solution for user management, because users will > > expect to be able to change their passwords on their local machines > > but instead those changes will get overwritten right away. > > > > -- > > What happens to the hole when the cheese is gone? -- Bertolt Brecht > > --------------------------------------------------------------------- > > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > > > > _______________________________________________ > > Puppet-users mailing list > > Puppet-users@madstop.com > > https://mail.madstop.com/mailman/listinfo/puppet-users > > > >_______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users