Forum: Cfengine Help Subject: Re: Cfengine Help: Updating shadow encrypted fields Author: neilhwatson Link to topic: https://cfengine.com/forum/read.php?3,22441,22449#msg-22449
The secret conundrum. To automate one must commit the secret to a record. This is one of the instances that do not go well with pull clients. Typical password systems I've seen keep the password in a central location and push the password out when needed. In such cases the password is still recorded but, only in one place. I think that you are going to have to make compromise somewhere. One, look at a centralized push solution. Two, pull the same hash from Cfengine. Three, split your hosts into different hash groups. Thus if one hash is compromised the others at still safe. Another thought occurs to me. If the password is the same then does it matter whether the hashes are different? If I crack one, the next thing I'll do is try the same password elsewhere. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
