Puppet users - Aug 2008 - User and password managment Mac OS X

The password management capability of the user resource type says that  
it should be encrypted in the format the local machine requires.

I tried setting this to a sha1 hash for a Mac OS X Leopard machine.

The result was that the user''s password itself was set to the hash  
value.

And during the apply, the password is easily seen by all users using a  
simple ps auxww | grep dscl.  Looking at the source for  
directoryservice.rb confirms this.

I got the impression that all of the current DirectoryService related  
stuff was going though Cocoa APIs rather than shelling out to dscl.   
Is that work in an unstable branch?  I am using Nigel''s installer  
packages of Facter 1.5.0 and Puppet 0.24.5.

Thanks,

Kyle Crawford

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I think there''s some work to do on the directoryservice provider.
We should have upgraded our Macs to 0.24.5+groupLDAP patch within a few
weeks and that was the point I was going to start working on it to make sure
all this stuff works.

What we''re doing now with older puppet clients is to simply push out
the
hash as a file { content => ... } definition and HUP DirectoryService
afterwards.



On Mon, Aug 18, 2008 at 1:41 PM, Crawford Kyle <kcrwfrd@gmail.com> wrote:
>
> The password management capability of the user resource type says that
> it should be encrypted in the format the local machine requires.
>
> I tried setting this to a sha1 hash for a Mac OS X Leopard machine.
>
> The result was that the user''s password itself was set to the hash
> value.
>
> And during the apply, the password is easily seen by all users using a
> simple ps auxww | grep dscl.  Looking at the source for
> directoryservice.rb confirms this.
>
> I got the impression that all of the current DirectoryService related
> stuff was going though Cocoa APIs rather than shelling out to dscl.
> Is that work in an unstable branch?  I am using Nigel''s installer
> packages of Facter 1.5.0 and Puppet 0.24.5.
>
> Thanks,
>
> Kyle Crawford
>
> >
>

-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---