On 02/05/16 08:33, Peter N. M. Hansteen wrote:
I'm assuming I'm not the first to encounter this -
the scenario is a group of admins who have so far run mainly Linux and some
Solaris,
and who have a fairly well developed Puppet setup for maintaining among other
things
local users for admins to log in and fix, running sudo as required. For
non-admin role
users, LDAP (AD) is considered good enough, but that's out of scope here.
The interesting part is when we start introducing OpenBSD machines to the mix,
and
creating users with the password hashes from Linux or Solaris fails, apparently
because
the hashes are not bcrypt hashes.
I see two obvious solutions to this. Either
1) skip password logins, require key logins for all local users (they're
admins after all), tackle any extra privilege needs via specific sudo or
doas config, or
2) maintain a separate set of user definitions with bcrypt hashes for the
OpenBSD
boxes in the puppet setup. Then supplement as before with sudo or doas
tricks.
My next question is, what other workable options are there? When you found
yourself
in a similar situation, introducing OpenBSD to an existing environment of other
unixes, what did you do? Are there other solutions out there, possibly with more
sophisticated approaches than the ones I've mentioned here?
Good suggestions may merit a beverage of choice (within reason) at the first
possible opportunity.
maybe a bit late to the show, but I guess you may use Hiera to separate
modules/code
from parameters?
:hierarchy:
- 'ENC/%{clientcert}'
- 'default/%{kernel}'
- '%{kernel}'
- role/xxx
- ...
- global
In your hiera.yaml, you may have a %{kernel} or %{operatingsystem} or the like
where you can throw in different values for different OSs/algorithms.
Then use recursive lookups like "%{hiera('mypasswordhash')}"
in the global.yaml where you define the users.
BTW: If you don't want to store the plain hashes in git (you use r10k?) or
whatever, or generally
want to encrypt sensitive data in Hiera take a look at hiera-eyaml.
works well for me.
cheers,
Sebastian
