Forum: Cfengine Help Subject: Re: Cfengine Help: Re: Cfengine Help: Updating shadow encrypted fields Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,22441,22496#msg-22496
My solution looks something like this: I have a directory which contains a bunch of files like /opt/cfengineconfig/perhost/$hostname.config.. The cf-serverd config only allows access to $hostname.config by $hostname. Each host copies $hostname.config to inputs/perhost.cf, and perhost.cf is included. There's a perhost bundle which defines some variables and sets some classes (ie, "has_perhost"). The root password hash is pre-calculated and stored in a variable with a common name. If the has_perhost class is set and the root password hash variable is defined, that's the hash which is stored in shadow for root. I have a separate interface which I use to manage the files in perhost; the files in there are never manually edited. Among other things, that interface records the plain-text password in a central database, as well as managing resetting the passwords on a pretty regular basis and/or after certain events. Even without my cute little system, cfengine on the central host could be looking at a password database and promising to keep the root password config file for each host in sync with that which is recorded in the plain text password database, possibly using a randomly generated salt. ;) _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
