Puppet users - Nov 2012 - Using puppet to change passwords on nix systems

Hi, I am new to this and I discovered a manifest in an old post that should 
change passwords. It runs fine, but the password does not change. I am 
wondering how this would work since it would need to change the shadow.

Thanks


define change_passwd($user,$passwd) {
    exec { "/usr/bin/puppet apply -v -e \''user {
\"${user}\": password
=> \"${passwd}\" }\''":
            onlyif     => "/bin/grep -c ^${user}: /etc/shadow"
    }
}

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/TZ868p26GtAJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi.

I have stopped using puppet to manage users. (I now use FreeIPA for
authentication and authorization)
I used to use the password field in the user resource to do this It needs
an encrypted password though.
It worked fine for what I needed at the time.
So if you can get the password from the shadow file on one server you can
use that to set the passwords on all your other servers.
It should be pretty easy to use Heira to store them.




On 30 November 2012 15:14, illectronic <theorenc@gmail.com> wrote:
> Hi, I am new to this and I discovered a manifest in an old post that
> should change passwords. It runs fine, but the password does not change. I
> am wondering how this would work since it would need to change the shadow.
>
> Thanks
>
>
> define change_passwd($user,$passwd) {
>     exec { "/usr/bin/puppet apply -v -e \''user {
\"${user}\": password
> => \"${passwd}\" }\''":
>             onlyif     => "/bin/grep -c ^${user}: /etc/shadow"
>     }
> }
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/TZ868p26GtAJ.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks for the suggestion, but I would like to stick to see if I can get 
that script working correctly first before using an additional management 
software.

On Friday, November 30, 2012 1:19:08 AM UTC-5, Pete
wrote:
>
> Hi.
>
> I have stopped using puppet to manage users. (I now use FreeIPA for 
> authentication and authorization)
> I used to use the password field in the user resource to do this It needs 
> an encrypted password though.
> It worked fine for what I needed at the time.
> So if you can get the password from the shadow file on one server you can 
> use that to set the passwords on all your other servers.
> It should be pretty easy to use Heira to store them.
>
>
>
>
> On 30 November 2012 15:14, illectronic <theo...@gmail.com
<javascript:>>wrote:
>
>> Hi, I am new to this and I discovered a manifest in an old post that 
>> should change passwords. It runs fine, but the password does not
change. I
>> am wondering how this would work since it would need to change the
shadow.
>>
>> Thanks
>>
>>
>> define change_passwd($user,$passwd) {
>>     exec { "/usr/bin/puppet apply -v -e \''user {
\"${user}\": password
>> => \"${passwd}\" }\''":
>>             onlyif     => "/bin/grep -c ^${user}:
/etc/shadow"
>>     }
>> }
>>
>> -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msg/puppet-users/-/TZ868p26GtAJ.
>> To post to this group, send email to
puppet...@googlegroups.com<javascript:>
>> .
>> To unsubscribe from this group, send email to 
>> puppet-users...@googlegroups.com <javascript:>.
>> For more options, visit this group at 
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/4Yzal_7bn9QJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thursday, November 29, 2012 11:14:57 PM UTC-6, O
wrote:
>
> Hi, I am new to this and I discovered a manifest in an old post that 
> should change passwords. It runs fine, but the password does not change. I 
> am wondering how this would work since it would need to change the shadow.
>
>
The Puppet agent needs to run as a privileged user (typically root) in 
order to do a lot of the things it does, including managing system users.  
Yes, on systems that use shadow passwords, Puppet needs to modify 
/etc/shadow to manage passwords.  So?

As to the details, the Puppet agent adapts to the system on which it is 
running, and uses the appropriate system tools for most of the tasks it 
wants to perform.  For example, to manage users on RedHat-family systems it 
uses useradd, userdel, usermod, and/or chage, as appropriate.

For users in particular there is a wide variety of management toolsets in 
use on different OS flavors.  Not all of them provide the same features, 
and in particular, not all of them support managing user passwords.  
Therefore, whether Puppet can manage passwords on a particular client 
depends on the client.

Most of this is documented in the Puppet type reference: 
http://docs.puppetlabs.com/references/3.0.latest/type.html#user.

 
> Thanks
>
>
> define change_passwd($user,$passwd) {
>     exec { "/usr/bin/puppet apply -v -e \''user {
\"${user}\": password
> => \"${passwd}\" }\''":
>             onlyif     => "/bin/grep -c ^${user}: /etc/shadow"
>     }
> }
>

That''s awfully convoluted.  Why are you using in Exec to run
"puppet apply"
from within a Puppet run, instead of just declaring the wanted resource 
directly?  That''s not to say that the code is wrong or inappropriate. 
I
think I can infer the purpose, but if *you* don''t understand what it 
declares and why, then you cannot be sure whether it is appropriate or 
not.  And that''s before we even get to the structure of the wrapper 
definition.

Pete is right that the User type''s ''password''
parameter requires a hash
instead of a plaintext password.  Except for Windows clients.  And be aware 
that it requires the hash to be the correct type for the target system, 
which may be SHA1, SHA512, MD5, or possibly even something else.  If your 
machines are homogeneous then that''s not too big a problem, but if not
then
you may have a trickier problem.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/fqalfU103W4J.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

You are right. I found a simpler way of doing it using puppet''s built
in
"user" reference with shadow-lib installed. The only thing is, puppet 
doesn''t seem to be able to create an md5 hash for you so you need to
create
a test user with the same password and use that value for password => 
''hashgoeshere''



On Friday, November 30, 2012 9:32:06 AM UTC-5, jcbollinger
wrote:
>
>
>
> On Thursday, November 29, 2012 11:14:57 PM UTC-6, O wrote:
>>
>> Hi, I am new to this and I discovered a manifest in an old post that 
>> should change passwords. It runs fine, but the password does not
change. I
>> am wondering how this would work since it would need to change the
shadow.
>>
>>
>
> The Puppet agent needs to run as a privileged user (typically root) in 
> order to do a lot of the things it does, including managing system users.  
> Yes, on systems that use shadow passwords, Puppet needs to modify 
> /etc/shadow to manage passwords.  So?
>
> As to the details, the Puppet agent adapts to the system on which it is 
> running, and uses the appropriate system tools for most of the tasks it 
> wants to perform.  For example, to manage users on RedHat-family systems it
> uses useradd, userdel, usermod, and/or chage, as appropriate.
>
> For users in particular there is a wide variety of management toolsets in 
> use on different OS flavors.  Not all of them provide the same features, 
> and in particular, not all of them support managing user passwords.  
> Therefore, whether Puppet can manage passwords on a particular client 
> depends on the client.
>
> Most of this is documented in the Puppet type reference: 
> http://docs.puppetlabs.com/references/3.0.latest/type.html#user.
>
>  
>
>> Thanks
>>
>>
>> define change_passwd($user,$passwd) {
>>     exec { "/usr/bin/puppet apply -v -e \''user {
\"${user}\": password
>> => \"${passwd}\" }\''":
>>             onlyif     => "/bin/grep -c ^${user}:
/etc/shadow"
>>     }
>> }
>>
>
>
> That''s awfully convoluted.  Why are you using in Exec to run
"puppet
> apply" from within a Puppet run, instead of just declaring the wanted 
> resource directly?  That''s not to say that the code is wrong or 
> inappropriate.  I think I can infer the purpose, but if *you*
don''t
> understand what it declares and why, then you cannot be sure whether it is 
> appropriate or not.  And that''s before we even get to the
structure of the
> wrapper definition.
>
> Pete is right that the User type''s ''password''
parameter requires a hash
> instead of a plaintext password.  Except for Windows clients.  And be aware
> that it requires the hash to be the correct type for the target system, 
> which may be SHA1, SHA512, MD5, or possibly even something else.  If your 
> machines are homogeneous then that''s not too big a problem, but if
not then
> you may have a trickier problem.
>
>
> John
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/4kUS6WG0iHcJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I''ve been using the openssl command line tool to generate the hash for
my
puppet users:
openssl passwd -1

It''s still a manual process to get the hash, but works pretty good for
a
small number of users.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Friday, November 30, 2012 4:40:34 PM UTC, O wrote:
> You are right. I found a simpler way of doing it using puppet''s
built in
> "user" reference with shadow-lib installed. The only thing is,
puppet
> doesn''t seem to be able to create an md5 hash for you so you need
to create
> a test user with the same password and use that value for password => 
> ''hashgoeshere''

Use ''grub-md5-crypt'' from a Linux box. Simples. 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/MvvuUC9OYRsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tuesday, December 4, 2012 4:52:45 AM UTC-6, Phips
wrote:
>
> On Friday, November 30, 2012 4:40:34 PM UTC, O wrote:
>
>> You are right. I found a simpler way of doing it using
puppet''s built in
>> "user" reference with shadow-lib installed. The only thing
is, puppet
>> doesn''t seem to be able to create an md5 hash for you so you
need to create
>> a test user with the same password and use that value for password
=>
>> ''hashgoeshere''
>
>
> Use ''grub-md5-crypt'' from a Linux box. Simples. 
>

As long as you need MD5 hashes, and your system has that program, then 
that''s great.  I repeat, however, that it is essential to create the 
correct type of hash for your target systems.  MD5 used to be 
near-universal for Linux, but newer releases tend to prefer other hashes, 
and other types of machines may have even more differing requirements.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/5UNAK7upi6sJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.