I'm assuming I'm not the first to encounter this - the scenario is a group of admins who have so far run mainly Linux and some Solaris, and who have a fairly well developed Puppet setup for maintaining among other things local users for admins to log in and fix, running sudo as required. For non-admin role users, LDAP (AD) is considered good enough, but that's out of scope here.
The interesting part is when we start introducing OpenBSD machines to the mix, and creating users with the password hashes from Linux or Solaris fails, apparently because the hashes are not bcrypt hashes. I see two obvious solutions to this. Either 1) skip password logins, require key logins for all local users (they're admins after all), tackle any extra privilege needs via specific sudo or doas config, or 2) maintain a separate set of user definitions with bcrypt hashes for the OpenBSD boxes in the puppet setup. Then supplement as before with sudo or doas tricks. My next question is, what other workable options are there? When you found yourself in a similar situation, introducing OpenBSD to an existing environment of other unixes, what did you do? Are there other solutions out there, possibly with more sophisticated approaches than the ones I've mentioned here? Good suggestions may merit a beverage of choice (within reason) at the first possible opportunity. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
