I am not sure everyone is on the same page:
1. you don't want to have the root password (encrypted or not) showing
up in the process listing of your clients.
2. even if you are generating the password on the master, it is going
to show up in the yaml on the client, and if that is the case, it
would seem to me that puppet's "user" type would be a much more
logical and explicit place to set it.
If you want puppet to manage the password, I don't think it gets any
more secure than the user type. I guess if you had multiple admins
writing manifests, and you were trying to prevent them from seeing the
encrypted string, you could store it in a file that the puppetmaster
could read (and they could not), distribute that file via the file
type, and then use something like chpasswd to read the file, but
that's really only more obscure rather than secure (the manifest
writer could just pull down the file and chown it to themselves...).
- Chad
On Wed, May 6, 2009 at 5:47 PM, Ryan Dooley <ryan.doo...@gmail.com> wrote:
>
> We sort of do this we set a global $password in our site.pp. That
> $password is an MD5 string. My environment is currently all Linux.
>
> Then, in our base module we have:
>
> exec {
> "set-root-password":
> path => "/usr/sbin:/sbin"
> command => "/bin/echo root:$password | /usr/sbin/chpasswd -e"
> }
>
> It's obviously not very portable but eh.
>
> Cheers,
> Ryan
>
> On Wed, 2009-05-06 at 09:24 -0500, Evan Hisey wrote:
>> On Wed, May 6, 2009 at 2:51 AM, 骡骡 <ken.g...@gmail.com> wrote:
>> >
>> > in 1st day of each month , change passwd of root.
>> >
>> > # vi /etc/puppet/modules/user/manifests/init.pp
>> >
>> > class user {
>> > exec { "rootpw":
>> > command => "/usr/sbin/usermod -p $rootpw root",
>> > onlyif => "/usr/bin/test `/bin/date -d now +%d` = '01'",
>> > }
>> > }
>> >
>> > # vi /etc/puppet/manifests/templates.pp
>> > import user
>> > node basenode {
>> > $rootpw = "Vale.com-init"
>> > include user
>> > }
>> >
>> >
>> >
>> This just looks like a bad way to handle things. Given that you are
>> going to manually set the password for puppet to use any way why not
>> use something like this: <Warning this has not been tested>
>>
>> class update_pw{
>> user{"root":
>> ensure => present,
>> password => generate("/opt/new_passwd.sh"),
>> }
>>
>> On the server /opt/new_passwd.sh would look like this:
>> #!/bin/bash
>> passwd=foobar
>> openssl passwd -crypt $passwd
>>
>>
>> This method should provide solutions to several problems with the
>> initial approach. You know have the password out of the manifests and
>> only have to secure one file. It will be handled by puppet as an
>> encrypted password so it will go over the wire encrypted. It will now
>> only change the password if the password parsed by the generate
>> command changes.
>>
>> Evan
>>
>> >
>
>
> >
>
--
Chad M. Huneycutt
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
