Steve Shipway
2011-Feb-23 00:20 UTC
[Puppet Users] Puppet module to regularly change passwords and update SecretServer
I''ve created a Puppet module which will check a specified user for
password
age, and if it is older than a specified amount, then it will first generate
a random password, change the user''s password to this, and will then
update
(or create) the stored password as held in the Secret Server application
(via the SecretServer API) -- see http://www.thycotic.com/ . This means
that we don''t need to allow SecretServer to log in remotely as root to
do
the job itself, and we can receive notification (via Puppet reports) when
this has been done.
So far this only works for Linux but it should be simple to make it work for
other OS.
Usage is:
password { ''user'': age=>30,
username=>''user'' }
with both parameters optional. We will use this to autorotate passwords on
non-user accounts (root, oracle) since account expiry causes crontabs to
stop working and we cannot lock the accounts or disable expiry due to
functionality and security requirements.
Is anyone already using SecretServer interested in testing a copy? There
are a couple of caveats with it but things are looking good so far.
Steve
_____
Steve Shipway
steve@steveshipway.org
Routers2.cgi web frontend for MRTG/RRD; NagEventLog Nagios agent for Windows
Event Log monitoring; check_vmware plugin for VMWare monitoring in Nagios
and MRTG; and other Open Source projects.
Web: http://www.steveshipway.org/software
P Please consider the environment before printing this e-mail
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Dave Augustus
2011-Feb-23 03:55 UTC
Re: [Puppet Users] Puppet module to regularly change passwords and update SecretServer
Very interested! I am in the midst of rolling out a brand new collection of servers, all Linux. This couldn''t be more timely. Thanks, Dave Augustus On Feb 22, 2011, at 6:20 PM, "Steve Shipway" <steve@steveshipway.org> wrote:> I''ve created a Puppet module which will check a specified user for password age, and if it is older than a specified amount, then it will first generate a random password, change the user''s password to this, and will then update (or create) the stored password as held in the Secret Server application (via the SecretServer API) -- see http://www.thycotic.com/ . This means that we don''t need to allow SecretServer to log in remotely as root to do the job itself, and we can receive notification (via Puppet reports) when this has been done. > > > > So far this only works for Linux but it should be simple to make it work for other OS. > > > > Usage is: > > password { ''user'': age=>30, username=>''user'' } > > > > with both parameters optional. We will use this to autorotate passwords on non-user accounts (root, oracle) since account expiry causes crontabs to stop working and we cannot lock the accounts or disable expiry due to functionality and security requirements. > > > > Is anyone already using SecretServer interested in testing a copy? There are a couple of caveats with it but things are looking good so far. > > > > Steve > > > > > > Steve Shipway > > steve@steveshipway.org > > Routers2.cgi web frontend for MRTG/RRD; NagEventLog Nagios agent for Windows Event Log monitoring; check_vmware plugin for VMWare monitoring in Nagios and MRTG; and other Open Source projects. > > Web: http://www.steveshipway.org/software > > P Please consider the environment before printing this e-mail > > > > > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.