On Aug 28, 8:18 am, jcbollinger <john.bollin...@stjude.org> wrote: > > It seems a bit strange to me that you are managing users' passwords > for them in the first place. It is usually users' responsibility to > manage their own passwords. If you really do want to manage passwords > centrally, however, then why do you need a password expiration policy > in the first place? Instead, just change the passwords on whatever > schedule you choose. The point of enforcing an expiration policy is > to protect against users failing to change their passwords, so it > gains you nothing if users are not responsible for managing their > passwords in the first place. Just turn it off.
Actually, these the passwords for the 3 system administrators. We have to have an expiration policy to meet our security guidelines. We are not opposed to the policy of changing our passwords every 90 days, but we don't want to have to log into 15 different machines every 90 days to change it. Change it once in puppet, and be done with it. We've considered distributed authentication mechanisms, but We Three Administrators [From Orient Are] the only users on the machines sans a few rare exceptions, so the trouble to configure NIS or LDAP didn't seem worthwhile. Ultimately, Puppet should only update the last-changed field when the password *actually* changes, thereby allowing the individual machines to continue to support denied logins if the password has expired. I think I made some minor progress, as it appears that the password handing is actually done by 'lib/puppet/provider/user/ user_role_add.rb' (which makes so sense to me whatsoever), and despite everything to the contrary, doesn't actually user ruby-libshadow, but rather hand-writes the shadow file itself (which makes even less sense to me!). I'm in the testing whether this actually does what I think it does. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
