Nigel Kersten
2008-Oct-17 18:16 UTC
[Puppet Users] who uses clear text passwords with directoryservice/netinfo providers?
Sparked off from this discussion on puppet-dev: http://groups.google.com/group/puppet-dev/browse_thread/thread/88f60414c3dfbe5c Who is currently using clear-text passwords with the directoryservice provider in particular, and would you be exceedingly upset if Puppet changed to no longer allow you to set a password in clear text on Mac clients, and only allowed you to set a hash? I''d like to change the provider so that it no longer used clear text passwords. -- Nigel Kersten Systems Administrator Tech Lead - MacOps --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Crawford Kyle
2008-Oct-18 03:16 UTC
[Puppet Users] Re: who uses clear text passwords with directoryservice/netinfo providers?
When I quickly realized it was using clear text I started distributing the /var/db/shadow/hash/ file. We want no clear text. Thanks for working on this Nigel. On Oct 17, 2008, at 2:16 PM, Nigel Kersten wrote:> > Sparked off from this discussion on puppet-dev: > > http://groups.google.com/group/puppet-dev/browse_thread/thread/88f60414c3dfbe5c > > Who is currently using clear-text passwords with the directoryservice > provider in particular, and would you be exceedingly upset if Puppet > changed to no longer allow you to set a password in clear text on Mac > clients, and only allowed you to set a hash? > > I''d like to change the provider so that it no longer used clear text > passwords. > > -- > Nigel Kersten > Systems Administrator > Tech Lead - MacOps > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Nigel Kersten
2008-Nov-12 19:55 UTC
[Puppet Users] Re: who uses clear text passwords with directoryservice/netinfo providers?
So I have a first candidate that''s a pretty big rewrite of the
directoryservice provider.
If anyone is interested in testing this (it''s just replacing one file
in the 0.24.6 installation) on an OS X client, let me know. I have
some more cleanup to do before submitting the patch, but it''s
functional.
Note this is also fixing the bug with comments or any other attributes
with spaces in the value that was reported with the directoryservice
provider.
Makes manifests a bit ugly though... but all that zero padding is
actually used for some things on OS X like setting an alternative
Lanman hash for SMB, and managing the existence or lack thereof of
alternative hashes is rather desirable to me.
user { "testviapuppet":
ensure => present,
gid => 80,
uid => 495,
home => "/Users/testviapuppet",
shell => "/bin/bash",
comment => "Test Via Puppet",
password =>
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000087832794FF3758105D7A4E560EBADDF18D7A0635F49BA170000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
}
On Fri, Oct 17, 2008 at 7:16 PM, Crawford Kyle <kcrwfrd@gmail.com>
wrote:>
> When I quickly realized it was using clear text I started distributing
> the /var/db/shadow/hash/ file. We want no clear text.
>
> Thanks for working on this Nigel.
>
> On Oct 17, 2008, at 2:16 PM, Nigel Kersten wrote:
>
>>
>> Sparked off from this discussion on puppet-dev:
>>
>>
http://groups.google.com/group/puppet-dev/browse_thread/thread/88f60414c3dfbe5c
>>
>> Who is currently using clear-text passwords with the directoryservice
>> provider in particular, and would you be exceedingly upset if Puppet
>> changed to no longer allow you to set a password in clear text on Mac
>> clients, and only allowed you to set a hash?
>>
>> I''d like to change the provider so that it no longer used
clear text
>> passwords.
>>
>> --
>> Nigel Kersten
>> Systems Administrator
>> Tech Lead - MacOps
>>
>> >
>
>
> >
>
--
Nigel Kersten
Systems Administrator
Tech Lead - MacOps
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
Luke Kanies
2008-Nov-13 00:34 UTC
[Puppet Users] Re: who uses clear text passwords with directoryservice/netinfo providers?
On Nov 12, 2008, at 11:55 AM, Nigel Kersten wrote:> > So I have a first candidate that''s a pretty big rewrite of the > directoryservice provider. > > If anyone is interested in testing this (it''s just replacing one file > in the 0.24.6 installation) on an OS X client, let me know. I have > some more cleanup to do before submitting the patch, but it''s > functional. > > Note this is also fixing the bug with comments or any other attributes > with spaces in the value that was reported with the directoryservice > provider. > > Makes manifests a bit ugly though... but all that zero padding is > actually used for some things on OS X like setting an alternative > Lanman hash for SMB, and managing the existence or lack thereof of > alternative hashes is rather desirable to me. > > user { "testviapuppet": > ensure => present, > gid => 80, > uid => 495, > home => "/Users/testviapuppet", > shell => "/bin/bash", > comment => "Test Via Puppet", > password => > "000000000000000000000000000000000000000000000000000000000000000000000 > 0000000000000000000000000000000000000000000000000000000000000000000000 > 00000000000000000000000000000087832794FF3758105D7A4E560EBADDF18D7A0635 > F49BA17000000000000000000000000000000000000000000000000000000000000000 > 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",> }For this kind of thing, it probably makes sense to have a function to retrieve the password from an external source; or even provide a function that just does the necessary zero-padding. -- Talent hits a target no one else can hit; Genius hits a target no one else can see. -- Arthur Schopenhauer --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Nigel Kersten
2008-Nov-13 02:12 UTC
[Puppet Users] Re: who uses clear text passwords with directoryservice/netinfo providers?
On Wed, Nov 12, 2008 at 4:34 PM, Luke Kanies <luke@madstop.com> wrote:> > On Nov 12, 2008, at 11:55 AM, Nigel Kersten wrote: > >> >> So I have a first candidate that''s a pretty big rewrite of the >> directoryservice provider. >> >> If anyone is interested in testing this (it''s just replacing one file >> in the 0.24.6 installation) on an OS X client, let me know. I have >> some more cleanup to do before submitting the patch, but it''s >> functional. >> >> Note this is also fixing the bug with comments or any other attributes >> with spaces in the value that was reported with the directoryservice >> provider. >> >> Makes manifests a bit ugly though... but all that zero padding is >> actually used for some things on OS X like setting an alternative >> Lanman hash for SMB, and managing the existence or lack thereof of >> alternative hashes is rather desirable to me. >> >> user { "testviapuppet": >> ensure => present, >> gid => 80, >> uid => 495, >> home => "/Users/testviapuppet", >> shell => "/bin/bash", >> comment => "Test Via Puppet", >> password => >> "000000000000000000000000000000000000000000000000000000000000000000000 >> 0000000000000000000000000000000000000000000000000000000000000000000000 >> 00000000000000000000000000000087832794FF3758105D7A4E560EBADDF18D7A0635 >> F49BA17000000000000000000000000000000000000000000000000000000000000000 >> ...... > > For this kind of thing, it probably makes sense to have a function to > retrieve the password from an external source; or even provide a > function that just does the necessary zero-padding.Absolutely. I think we''re most likely to enforce the lack of a Lanman hash, so will have a function that does all the padding. It wouldn''t take too much work to generalize this to support current and future alternative hashes in the one password hash file. After chatting to Jeff McCune who did the initial directoryservice nameservice provider, I think we have a clearer idea of what should be done as far as refactoring goes for post 0.24.x puppet, but just wanted to get this functionality in before 0.24.7. -- Nigel Kersten Systems Administrator Tech Lead - MacOps --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---