I''m new to Puppet but have searched this group and Puppet docs for how to set up user passwords using puppet. I haven''t found a clear answer about setting user passwords. I understand that it is a security risk to send plain text passwords via Puppet. However, for my use case (setting up one "student" user on a school computer lab) I think the risk is acceptable. Can someone walk me through the steps of sending out a password to all my computers for user "student." My puppetmaster and puppets are running Ubuntu Lucide 10.4 LTS. Thanks for getting a newbie off the ground! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/m3jPQyFQKsoJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Len Rugen
2011-Aug-03 00:35 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
You aren''t sending the password, you are sending the "shadow". On one system, set the desired password, get the shadow value, put that in puppet. [root@localhost ~]# passwd student Changing password for user student. New password: BAD PASSWORD: it is too simplistic/systematic Retype new password: passwd: all authentication tokens updated successfully. [root@localhost ~]# grep student /etc/shadow student: $6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710v1HMRmS5VnPbHZ2MwY96wt0 :15189:0:99999:7::: [root@localhost ~]# In puppet, passwd => " $6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710v1HMRmS5VnPbHZ2MwY96wt0", This if from memory, so not syntax checked. That hash is for a password that was simple and got the gripe. Of course, you will have to install and configure puppet on all of your systems. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jfro
2011-Aug-03 01:54 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
Len, Thanks for the clear directions. I wasn''t sure if the shadow value could be transfered to different computers and be decrypted correctly. It looks like it can. I''ll give this a try! I appreciate your clear directions and taking time to help a newbie. You saved me hours of searching and pulling out my hair! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/cr268oS6l2oJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
vagn scott
2011-Aug-03 02:21 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
On 08/02/2011 03:52 PM, Jfro wrote:> > Can someone walk me through the steps of sending out a password to all > my computers for user "student."I do this a lot: yes ''PASSWORD'' | passwd username Then you can extract the password from /etc/shadow also see here: http://serverfault.com/questions/87874/how-should-someone-create-an-encrypted-password-for-etc-shadow -- vagn -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Len Rugen
2011-Aug-03 02:36 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
Works on about 300 of ours :-) On Tue, Aug 2, 2011 at 8:54 PM, Jfro <jason.shiroff@gmail.com> wrote:> Len, > > Thanks for the clear directions. I wasn''t sure if the shadow value could > be transfered to different computers and be decrypted correctly. It looks > like it can. I''ll give this a try! > > I appreciate your clear directions and taking time to help a newbie. You > saved me hours of searching and pulling out my hair! > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/cr268oS6l2oJ. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Daniel Maher
2011-Aug-03 06:47 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
On 08/02/2011 09:52 PM, Jfro wrote:> I''m new to Puppet but have searched this group and Puppet docs for how > to set up user passwords using puppet. I haven''t found a clear answer > about setting user passwords. > > I understand that it is a security risk to send plain text passwords via > Puppet. However, for my use case (setting up one "student" user on a > school computer lab) I think the risk is acceptable. > > Can someone walk me through the steps of sending out a password to all > my computers for user "student." > > My puppetmaster and puppets are running Ubuntu Lucide 10.4 LTS. > > Thanks for getting a newbie off the ground!This will help : http://docs.puppetlabs.com/references/2.7.0/type.html#user-3 Otherwise, it''s really just as simple as this : user { ''student_account'': name => ''username'', password => ''$6$xx...'' # this is the crypted password string. } You can also set their group membership, home directory, uid, and other things as well. Just ensure that the user statement is in a class that''s included on all of your target machines, and you''re done. -- dan. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Peter Meier
2011-Aug-03 09:21 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
>> Can someone walk me through the steps of sending out a password to all >> my computers for user "student." > > I do this a lot: > > yes ''PASSWORD'' | passwd username > > Then you can extract the password from /etc/shadow > > also see here: > > http://serverfault.com/questions/87874/how-should-someone-create-an-encrypted-password-for-etc-shadowNo need to go over /etc/shadow or use mkpasswd (which is not available that easy on all distros). How about # salt=`pwgen 8 1`; pass=`pwgen -s 12 1`;ruby -e "puts \ ARGV[0].crypt(''\$6\$'' << ARGV[1] << ''\$'')" $pass $salt; echo $pass $6$eemaihic$3gwFGQxMWE8n/KMZlNe3O9dVoQC5zCXrtabhpCLeDp54eYTGK8WAHovxYZLaQf8YF93Hwfh466CQ966Xoh6O81 FmstT8KObWVu ? ~pete -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ryan Conway
2011-Aug-03 10:13 UTC
[Puppet Users] Re: Step by step guide to setting user passwords
One more thing - Puppet will fail to set the password unless the libshadow gem is present, as this is required to work with shadow passwords. The failures due to this being missing weren''t obvious if I remember back - you only get a warning that the user provider isn''t able to manage the passwords if you''re running in debug mode. Ryan On Aug 3, 1:35 am, Len Rugen <lenru...@gmail.com> wrote:> You aren''t sending the password, you are sending the "shadow". On one > system, set the desired password, get the shadow value, put that in puppet. > > [root@localhost ~]# passwd student > Changing password for user student. > New password: > BAD PASSWORD: it is too simplistic/systematic > Retype new password: > passwd: all authentication tokens updated successfully. > [root@localhost ~]# grep student /etc/shadow > student: > $6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710 v1HMRmS5VnPbHZ2MwY96wt0 > :15189:0:99999:7::: > [root@localhost ~]# > > In puppet, passwd => " > $6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710 v1HMRmS5VnPbHZ2MwY96wt0", > > This if from memory, so not syntax checked. That hash is for a password > that was simple and got the gripe. > > Of course, you will have to install and configure puppet on all of your > systems.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Matthew J Black
2011-Aug-03 14:44 UTC
RE: [Puppet Users] Step by step guide to setting user passwords
Not sure if that''ll work right but one option is you should be able to use the generate function in the manifest to make an external call within the puppetmaster to create the encrypted password. The downside is that its going to execute every time, where it might be less of a performance hit to cut and paste in the encrypted password into the manifest. -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Peter Meier Sent: Wednesday, August 03, 2011 5:21 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] Step by step guide to setting user passwords>> Can someone walk me through the steps of sending out a password to all >> my computers for user "student." > > I do this a lot: > > yes ''PASSWORD'' | passwd username > > Then you can extract the password from /etc/shadow > > also see here: > >http://serverfault.com/questions/87874/how-should-someone-create-an-encrypte d-password-for-etc-shadow No need to go over /etc/shadow or use mkpasswd (which is not available that easy on all distros). How about # salt=`pwgen 8 1`; pass=`pwgen -s 12 1`;ruby -e "puts \ ARGV[0].crypt(''\$6\$'' << ARGV[1] << ''\$'')" $pass $salt; echo $pass $6$eemaihic$3gwFGQxMWE8n/KMZlNe3O9dVoQC5zCXrtabhpCLeDp54eYTGK8WAHovxYZLaQf8Y F93Hwfh466CQ966Xoh6O81 FmstT8KObWVu ? ~pete -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Peter Meier
2011-Aug-03 17:26 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
On 08/03/2011 04:44 PM, Matthew J Black wrote:> Not sure if that''ll work right but one option is you should be able to use > the generate function in the manifest to make an external call within the > puppetmaster to create the encrypted password. The downside is that its > going to execute every time, where it might be less of a performance hit to > cut and paste in the encrypted password into the manifest.or you can use something like trocla to not even store the encrypted password in the manifest: https://github.com/duritong/trocla https://github.com/duritong/puppet-trocla ~pete -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
John Martin
2011-Aug-06 06:22 UTC
[Puppet Users] Re: Step by step guide to setting user passwords
You can also use the ralsh command where the user is created as long
as puppet is installed. The command will spit out the complete user
dsl.
ralsh user student
Also, make sure the password is in single quotes so $ doesn''t get
interpreted.
-John
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Eric Shamow
2011-Aug-07 03:57 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
Just a note - ralsh is also available from the puppet command line as "puppet resource." -Eric On Aug 6, 2011, at 2:22 AM, John Martin wrote:> You can also use the ralsh command where the user is created as long > as puppet is installed. The command will spit out the complete user > dsl. > > ralsh user student > > Also, make sure the password is in single quotes so $ doesn''t get > interpreted. > > -John > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ohad Levy
2011-Aug-07 06:42 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
On Wed, Aug 3, 2011 at 12:21 PM, Peter Meier <peter.meier@immerda.ch> wrote:>>> Can someone walk me through the steps of sending out a password to all >>> my computers for user "student." >> >> I do this a lot: >> >> yes ''PASSWORD'' | passwd username >> >> Then you can extract the password from /etc/shadow >> >> also see here: >> >> http://serverfault.com/questions/87874/how-should-someone-create-an-encrypted-password-for-etc-shadow > > > No need to go over /etc/shadow or use mkpasswd (which is not available > that easy on all distros). How about > > # salt=`pwgen 8 1`; pass=`pwgen -s 12 1`;ruby -e "puts \ > ARGV[0].crypt(''\$6\$'' << ARGV[1] << ''\$'')" $pass $salt; echo $pass > $6$eemaihic$3gwFGQxMWE8n/KMZlNe3O9dVoQC5zCXrtabhpCLeDp54eYTGK8WAHovxYZLaQf8YF93Hwfh466CQ966Xoh6O81 > FmstT8KObWVu >crypt might yield a different output depending on the c crypt lib, so in theory it may not work across all os''s. Ohad> ? > > ~pete > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jamie
2011-Aug-07 17:16 UTC
[Puppet Users] Re: Step by step guide to setting user passwords
Sorry, kinda late on this one, but seems some easy methods left out. Use grub-md5-crypt $ grub-md5-crypt Password: Retype password: $1$nS12E0$nmw5cTWJLwW7KujMpApKh0 <-- PUT THE RESULT IN YOUR MANIFEST or use the openssl command $ openssl passwd -1 Password: Verifying - Password: $1$SF8zTedH$rfFKDI1pS2ljMRP14tYTj0 <-- PUT THE RESULT IN YOUR MANIFEST On Aug 2, 3:52 pm, Jfro <jason.shir...@gmail.com> wrote:> I''m new to Puppet but have searched this group and Puppet docs for how to > set up user passwords using puppet. I haven''t found a clear answer about > setting user passwords. > > I understand that it is a security risk to send plain text passwords via > Puppet. However, for my use case (setting up one "student" user on a school > computer lab) I think the risk is acceptable. > > Can someone walk me through the steps of sending out a password to all my > computers for user "student." > > My puppetmaster and puppets are running Ubuntu Lucide 10.4 LTS. > > Thanks for getting a newbie off the ground!-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Derek J. Balling
2011-Aug-08 00:40 UTC
Re: [Puppet Users] Step by step guide to setting user passwords
On Aug 2, 2011, at 8:35 PM, Len Rugen wrote:> In puppet, passwd => "$6$PVOar6qN$WUTN7HG838PnAdzLYCB4HHVSzE/SX100VVdsiIYlBo7TM5c79R38gx942Lkm710v1HMRmS5VnPbHZ2MwY96wt0",Make sure to use single-quotes, or puppet will try to evaluate variables "$PVOar", "$WUTN", etc., etc. D -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Michael Stahnke
2011-Aug-08 01:53 UTC
Re: [Puppet Users] Re: Step by step guide to setting user passwords
On Wed, Aug 3, 2011 at 3:13 AM, Ryan Conway <ryan.conway@forward.co.uk> wrote:> One more thing - Puppet will fail to set the password unless the > libshadow gem is present, as this is required to work with shadow > passwords.It doesn''t have to be the gem. It can be anything that provides the libraries (such as the ruby-shadow rpm package). -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.