I''m working on a turnkey Linux system where the post build config is handled with puppet. One of the unique constraints with a turnkey system is that passwords are essentially set at build time and then stay fixed for the life of the product. I was wondering if anyone had used puppet to manage user passwords? The ''user'' type supports an encrypted hash, but ideally I need the facility of passing in a plaintext password, md5 hash it and then have puppet idempotently check it''s been set. Thoughts? Geoff. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
I''ve done that on openbsd systems with something like this: exec { "setpass $name": onlyif => "grep ''^$name:\*'' /etc/master.passwd", command => "usermod -p ''$pwstring'' $name", require => User[$name], } Note that the onlyif on this command is intended to set the password only on accounts that have none, so you''ll have to modify it to fit your needs. $pwstring is a pre-hashed password, for obvious reasons. HTH, Marti On Oct 2, 10:01 am, "Geoff Newell" <geoffnew...@gmail.com> wrote:> I''m working on a turnkey Linux system where the post build config is handled > with puppet. > One of the unique constraints with a turnkey system is that passwords are > essentially set at build time and then stay fixed for the life of the > product. > I was wondering if anyone had used puppet to manage user passwords? > The ''user'' type supports an encrypted hash, but ideally I need the facility > of passing in a plaintext password, md5 hash it and then have puppet > idempotently check it''s been set. > > Thoughts? > > Geoff.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On 2 Oct 2008, at 18:01, Geoff Newell wrote:> I''m working on a turnkey Linux system where the post build config is > handled with puppet. > One of the unique constraints with a turnkey system is that > passwords are essentially set at build time and then stay fixed for > the life of the product. > I was wondering if anyone had used puppet to manage user passwords? > The ''user'' type supports an encrypted hash, but ideally I need the > facility of passing in a plaintext password, md5 hash it and then > have puppet idempotently check it''s been set.You can do this via shelling out via generate() on the puppetmaster: $salt = ''dqwdqaom'' $password = ''mycleartextpassword'' $md5_password = generate(''/bin/sh'', ''-c'', "/usr/bin/mkpasswd -H md5 -S $salt ''$passwd'' | tr -d ''\n''") Ugly, but it works. The pretty way of doing this would be to create a custom function. We''re intending on doing this, but it''s not there yet. Cheers, Mike --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
AJ Christensen (Fujin)
2008-Oct-04 00:51 UTC
[Puppet Users] Re: Puppet for password management
I wrote a parser func that relies on mkpasswd on the master ages ago: http://pastie.org/pastes/222996 ## mkpasswd("password", "12345678") # needs an 8-char salt *always* module Puppet::Parser::Functions newfunction(:mkpasswd, :type => :rvalue) do |args| %x{/usr/bin/mkpasswd -H MD5 #{args[0]} #{args[1]}}.chomp end end ## usage [plain_text] $pw = mkpasswd("test", "12345678") notify { $pw: } ## output [plain_text] notice: //Node[junglist]/Notify[$1$12345678$oEitTZYQtRHfNGmsFvTBA/]/ message: is absent, should be $1$12345678$oEitTZYQtRHfNGmsFvTBA/ On Oct 4, 4:41 am, Mike Pountney <mike.pount...@gmail.com> wrote:> On 2 Oct 2008, at 18:01, Geoff Newell wrote: > > > I''m working on a turnkey Linux system where the post build config is > > handled with puppet. > > One of the unique constraints with a turnkey system is that > > passwords are essentially set at build time and then stay fixed for > > the life of the product. > > I was wondering if anyone had used puppet to manage user passwords? > > The ''user'' type supports an encrypted hash, but ideally I need the > > facility of passing in a plaintext password, md5 hash it and then > > have puppet idempotently check it''s been set. > > You can do this via shelling out via generate() on the puppetmaster: > > $salt = ''dqwdqaom'' > $password = ''mycleartextpassword'' > > $md5_password = generate(''/bin/sh'', ''-c'', "/usr/bin/mkpasswd -H md5 -S > $salt ''$passwd'' | tr -d ''\n''") > > Ugly, but it works. > > The pretty way of doing this would be to create a custom function. > We''re intending on doing this, but it''s not there yet. > > Cheers, > > Mike--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---