Puppet users - Dec 2012 - user resource, get password from command on master

Hi all,

I started managing users with puppet (3). Right now it works ok, but I have
to change the hash manually in the manifest files. I would like users to
login to the puppet master and change the password for themselves. Could I
do something like this?
password => `grep $user /etc/shadow | awk -F '':''
''{print $2}'',

Thanks.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Andrei,

On 10.12.2012, at 09:22, Andrei-Florian Staicu wrote:
> Hi all,
> 
> I started managing users with puppet (3). Right now it works ok, but I have
to change the hash manually in the manifest files. I would like users to login
to the puppet master and change the password for themselves. Could I do
something like this?
> password => `grep $user /etc/shadow | awk -F '':''
''{print $2}'',
> 
> Thanks.
You want to make use of a function:
http://docs.puppetlabs.com/references/latest/function.html

Functions get executed on the master.

hth,

Martin

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Dec 10, 2012 at 10:28 AM, Martin Alfke <tuxmea@gmail.com> wrote:
> Hi Andrei,
>
> On 10.12.2012, at 09:22, Andrei-Florian Staicu wrote:
>
> > Hi all,
> >
> > I started managing users with puppet (3). Right now it works ok, but I
> have to change the hash manually in the manifest files. I would like users
> to login to the puppet master and change the password for themselves. Could
> I do something like this?
> > password => `grep $user /etc/shadow | awk -F '':''
''{print $2}'',
> >
> > Thanks.
>
> You want to make use of a function:
> http://docs.puppetlabs.com/references/latest/function.html
>
> Functions get executed on the master.
>
> hth,
>
> Martin

Hi Martin, and thanks for the quick answer.

Do you happen to know with what user do the scripts get executed on the
master? I it''s not root, i might have to stick some sudos in there.

Thanks.
-- 
Beware of programmers who carry screwdrivers!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 10.12.2012, at 09:49, Andrei-Florian Staicu wrote:
> On Mon, Dec 10, 2012 at 10:28 AM, Martin Alfke <tuxmea@gmail.com>
wrote:
> Hi Andrei,
> 
> On 10.12.2012, at 09:22, Andrei-Florian Staicu wrote:
> 
> > Hi all,
> >
> > I started managing users with puppet (3). Right now it works ok, but I
have to change the hash manually in the manifest files. I would like users to
login to the puppet master and change the password for themselves. Could I do
something like this?
> > password => `grep $user /etc/shadow | awk -F '':''
''{print $2}'',
> >
> > Thanks.
> 
> You want to make use of a function:
> http://docs.puppetlabs.com/references/latest/function.html
> 
> Functions get executed on the master.
> 
> hth,
> 
> Martin
> 
> Hi Martin, and thanks for the quick answer.
> 
> Do you happen to know with what user do the scripts get executed on the
master? I it''s not root, i might have to stick some sudos in there.
As far as I know, functions are run as user "puppet".
(Please verify your puppet.conf and look which user is used. Normally this is
"puppet" or "pe-puppet" (on enterprise version)
> 
> Thanks.
> -- 
> Beware of programmers who carry screwdrivers!
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Monday, December 10, 2012 2:49:10 AM UTC-6, SAF
wrote:
>
>
> Do you happen to know with what user do the scripts get executed on the 
> master? I it''s not root, i might have to stick some sudos in
there.
>
>
Functions are evaluated as a normal part of the puppet master''s
execution,
thus they run as whatever user the master runs as.  In most setups that is 
a non-privileged user, without access to the contents of /etc/shadow.

You should think long and hard before granting the master elevated 
privileges.  I would not do it myself.  In fact, I would recommend against 
your whole concept for password management.  It requires you to weaken your 
security not only by granting extra privileges to the master, but also -- 
much worse -- by granting your users login privileges on the puppet master 
server.

Furthermore, password updates under your scheme would not be synchronous or 
even coordinated across hosts.  For each other system he wants to log in 
to, the user would have to wait some unknown time for that system to 
perform a successful Puppet run before his password changes there, and 
there will be a period during which his password is different on some nodes 
than on others.

There are good, industry-standard approaches to centralized password 
management.  You should really choose among those instead of rolling your 
own.  One of the best-regarded is LDAP, and you could also consider NIS 
(just to name two).  The former is more secure, but the latter is very easy 
to set up.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/cFPmN4xQxeMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 12/10/2012 04:47 PM, jcbollinger wrote:
> There are good, industry-standard approaches to centralized password
> management.  You should really choose among those instead of rolling
> your own.  One of the best-regarded is LDAP, and you could also consider
> NIS (just to name two).  The former is more secure, but the latter is
> very easy to set up.
Judging that the current solution stores passwords in /etc/shadow, I 
assume that these passwords are for ssh only, and if that''s the case
the
easiest and most secure way would be to enforce ssh key logins, and 
distribute keys instead of passwords. Public keys could be updated 
without granting access to puppet master.

If that''s not the case, then LDAP is a way to go.


-- 
Jakov Sosic
www.srce.unizg.hr

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 12 December 2012 11:58, Jakov Sosic <jsosic@srce.hr> wrote:
> On 12/10/2012 04:47 PM, jcbollinger wrote:
>
>  There are good, industry-standard approaches to centralized password
>> management.  You should really choose among those instead of rolling
>> your own.  One of the best-regarded is LDAP, and you could also
consider
>> NIS (just to name two).  The former is more secure, but the latter is
>> very easy to set up.
>>
>
> Judging that the current solution stores passwords in /etc/shadow, I
> assume that these passwords are for ssh only, and if that''s the
case the
> easiest and most secure way would be to enforce ssh key logins, and
> distribute keys instead of passwords. Public keys could be updated without
> granting access to puppet master.
>
> If that''s not the case, then LDAP is a way to go.

I was managing my users with puppet but I decided it wasn''t the best
way to
do it. I recently setup a FreeIPA server to use for authentication and
authorization.
It can also be used to auth ssh logins with keys.
I need to write some modules to manage setting it up on a node with puppet
but it''s looking like the best option for what I need.
It''s seems to have similar functionality too Active Directory and can
even
sync with it.



-- 
> Jakov Sosic
> www.srce.unizg.hr
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users+unsubscribe@**
> googlegroups.com <puppet-users%2Bunsubscribe@googlegroups.com>.
> For more options, visit this group at http://groups.google.com/**
>
group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en>
> .
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.