On Fri, Aug 28, 2009 at 8:15 AM, Kyle Mallory<jesuswasir...@gmail.com> wrote: > > On Aug 28, 8:18 am, jcbollinger <john.bollin...@stjude.org> wrote: >> >> It seems a bit strange to me that you are managing users' passwords >> for them in the first place. It is usually users' responsibility to >> manage their own passwords. If you really do want to manage passwords >> centrally, however, then why do you need a password expiration policy >> in the first place? Instead, just change the passwords on whatever >> schedule you choose. The point of enforcing an expiration policy is >> to protect against users failing to change their passwords, so it >> gains you nothing if users are not responsible for managing their >> passwords in the first place. Just turn it off. > > Actually, these the passwords for the 3 system administrators. We > have to have an expiration policy to meet our security guidelines. We > are not opposed to the policy of changing our passwords every 90 days, > but we don't want to have to log into 15 different machines every 90 > days to change it. Change it once in puppet, and be done with it. > We've considered distributed authentication mechanisms, but We Three > Administrators [From Orient Are] the only users on the machines sans a > few rare exceptions, so the trouble to configure NIS or LDAP didn't > seem worthwhile. > > Ultimately, Puppet should only update the last-changed field when the > password *actually* changes, thereby allowing the individual machines > to continue to support denied logins if the password has expired. > > I think I made some minor progress, as it appears that the password > handing is actually done by 'lib/puppet/provider/user/ > user_role_add.rb' (which makes so sense to me whatsoever), and despite > everything to the contrary, doesn't actually user ruby-libshadow, but > rather hand-writes the shadow file itself (which makes even less sense > to me!). I'm in the testing whether this actually does what I think > it does. > >
I took a different and more hacky approach. I wrote a function that fetches the complete shadow line from the shadow file then pushes that line to the clients. So I get central password management (including aging rules), but each puppet client can stand on it's own (in case nis, or ldap, or radius, ect.. goes away). I enforce the password rules on my puppetmaster (that only sysadmins can login to). When a password expires, you change it on the puppetmaster, and it is pushed to all the clients. If anyone is interested in my configs, let me know and I can clean them up a bit and post them somewhere. -Adam --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
