Forum: CFEngine Help
Subject: Re: unit_root_passwd.cf
Author: trumpjk
Link to topic: https://cfengine.com/forum/read.php?3,26164,26166#msg-26166
I am new to cfengine so forgive me if I do not give you exactly what you want
the first time.
I create a file /var/cfengine/ppkeys/rootpw.txt which contains a single line:
:HASH:
Below if the unit_root_passwd.cf. I made appropriate changes so my cfengine
master hostname is correct in the file:
# Copyright (C) Cfengine AS
# This file is part of Cfengine 3 - written and maintained by Cfengine AS.
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; version 3.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
# To the extent this program is licensed as part of the Enterprise
# versions of Cfengine, the applicable Commerical Open Source License
# (COSL) may apply to this file if you as a licensee so wish it. See
# included file COSL.txt.
######################################################################
#
# Root password distribution
#
######################################################################
body common control
{
version => "1.2.3";
bundlesequence => { "SetRootPassword" };
}
########################################################
bundle common g
{
vars:
"secret_keys_dir" string => "/tmp";
}
########################################################
bundle agent SetRootPassword
{
files:
"/var/cfengine/ppkeys/rootpw.txt"
copy_from => scp("$(fqhost)-root.txt","master_host.example.org");
# or $(pw_class)-root.txt
# Test this on a copy
"/tmp/shadow"
edit_line => SetPasswd("root");
}
########################################################
bundle edit_line SetPasswd(user)
{
vars:
# Assume this file contains a single string of the form :passwdhash:
# with : delimiters to avoid end of line/file problems
"gotpw" int =>
readstringarray("pw","$(sys.workdir)/ppkeys/root-pw.txt","#[^\n]*",":","3","200");
field_edits:
"$(user).*"
# Set field of the file to parameter
# File has format root:HASH: or user:HASH:
edit_field => col(":","2","$(pw[1])","set");
}
########################################################
bundle server passwords
{
vars:
# Read a file of format
#
# classname: host1,host2,host4,IP-address,regex.*,etc
#
"pw_classes" int =>
readstringarray("acl","$(g.secret_keys_dir)/classes.txt","#[^\n]*",":","100","4000");
"each_pw_class" slist => getindices("acl");
access:
"/secret/keys/$(each_pw_class)-root.txt"
admit => splitstring("$(acl[$(each_pw_class)][1])" , ":" , "100"),
ifencrypted => "true";
}
########################################
# Bodies
########################################
body edit_field col(split,col,newval,method)
{
field_separator => "$(split)";
select_field => "$(col)";
value_separator => ",";
field_value => "$(newval)";
field_operation => "$(method)";
extend_fields => "true";
allow_blank_fields => "true";
}
########################################
body copy_from scp(from,server)
{
source => "$(from)";
compare => "digest";
encrypt => "true";
verify => "true";
}
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
