Also thinking out loud.. Why not make use of the public keys that reside on
every host in order to store the password in host-specific files at some
common NFS location? I tried getting OpenSSL to work with cfengine's keys
(seeing as they're already stored on the cf-serverd host) but it steadfastly
refused to accept the public key. Maybe someone more OpenSSL savvy can
figure it out. What does work is extracting the public key from ssh's
keypair.
So, hypothetically, your password update bundle would:
- Do a fileexists test on the output of the following command and if
failure, extract the public key from ssh's keypair and store it somewhere on
the network. "openssl rsa -in ./ssh_host_rsa_key -pubout -out
/nfs/pubkeys/${sys.uqhost}-pubkey"
- Decrypt the host-specific file at /nfs/crypto/${sys.uqhost} which you
generated using a script that read in the password from stdin and did a "for
host in `ls` ; encryption
- Calculate the appropriate hash for the local host and then do a regline
against /etc/shadow or the sort. If no match then execute hash update.
It's a lot of crypto-juggling but probably safer than an expect script.
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
