I''m working on a turnkey Linux system where the post build config is handled with puppet. One of the unique constraints with a turnkey system is that passwords are essentially set at build time and then stay fixed for the life of the product. I was wondering if anyone had used puppet to manage user passwords? The ''user'' type supports an encrypted hash, but ideally I need the facility of passing in a plaintext password, md5 hash it and then have puppet idempotently check it''s been set. Thoughts? Geoff. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
I''ve done that on openbsd systems with something like this:
exec { "setpass $name":
onlyif => "grep ''^$name:\*''
/etc/master.passwd",
command => "usermod -p ''$pwstring'' $name",
require => User[$name],
}
Note that the onlyif on this command is intended to set the password
only on accounts that have none, so you''ll have to modify it to fit
your needs. $pwstring is a pre-hashed password, for obvious reasons.
HTH,
Marti
On Oct 2, 10:01 am, "Geoff Newell" <geoffnew...@gmail.com>
wrote:> I''m working on a turnkey Linux system where the post build config
is handled
> with puppet.
> One of the unique constraints with a turnkey system is that passwords are
> essentially set at build time and then stay fixed for the life of the
> product.
> I was wondering if anyone had used puppet to manage user passwords?
> The ''user'' type supports an encrypted hash, but ideally I
need the facility
> of passing in a plaintext password, md5 hash it and then have puppet
> idempotently check it''s been set.
>
> Thoughts?
>
> Geoff.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
On 2 Oct 2008, at 18:01, Geoff Newell wrote:> I''m working on a turnkey Linux system where the post build config is > handled with puppet. > One of the unique constraints with a turnkey system is that > passwords are essentially set at build time and then stay fixed for > the life of the product. > I was wondering if anyone had used puppet to manage user passwords? > The ''user'' type supports an encrypted hash, but ideally I need the > facility of passing in a plaintext password, md5 hash it and then > have puppet idempotently check it''s been set.You can do this via shelling out via generate() on the puppetmaster: $salt = ''dqwdqaom'' $password = ''mycleartextpassword'' $md5_password = generate(''/bin/sh'', ''-c'', "/usr/bin/mkpasswd -H md5 -S $salt ''$passwd'' | tr -d ''\n''") Ugly, but it works. The pretty way of doing this would be to create a custom function. We''re intending on doing this, but it''s not there yet. Cheers, Mike --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
AJ Christensen (Fujin)
2008-Oct-04 00:51 UTC
[Puppet Users] Re: Puppet for password management
I wrote a parser func that relies on mkpasswd on the master ages ago:
http://pastie.org/pastes/222996
## mkpasswd("password", "12345678")
# needs an 8-char salt *always*
module Puppet::Parser::Functions
newfunction(:mkpasswd, :type => :rvalue) do |args|
%x{/usr/bin/mkpasswd -H MD5 #{args[0]} #{args[1]}}.chomp
end
end
## usage [plain_text]
$pw = mkpasswd("test", "12345678")
notify { $pw: }
## output [plain_text]
notice: //Node[junglist]/Notify[$1$12345678$oEitTZYQtRHfNGmsFvTBA/]/
message: is absent, should be $1$12345678$oEitTZYQtRHfNGmsFvTBA/
On Oct 4, 4:41 am, Mike Pountney <mike.pount...@gmail.com>
wrote:> On 2 Oct 2008, at 18:01, Geoff Newell wrote:
>
> > I''m working on a turnkey Linux system where the post build
config is
> > handled with puppet.
> > One of the unique constraints with a turnkey system is that
> > passwords are essentially set at build time and then stay fixed for
> > the life of the product.
> > I was wondering if anyone had used puppet to manage user passwords?
> > The ''user'' type supports an encrypted hash, but
ideally I need the
> > facility of passing in a plaintext password, md5 hash it and then
> > have puppet idempotently check it''s been set.
>
> You can do this via shelling out via generate() on the puppetmaster:
>
> $salt = ''dqwdqaom''
> $password = ''mycleartextpassword''
>
> $md5_password = generate(''/bin/sh'',
''-c'', "/usr/bin/mkpasswd -H md5 -S
> $salt ''$passwd'' | tr -d ''\n''")
>
> Ugly, but it works.
>
> The pretty way of doing this would be to create a custom function.
> We''re intending on doing this, but it''s not there yet.
>
> Cheers,
>
> Mike
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---