Andreas Mohrhard <anu...@gmail.com> writes:
> I'm currently evaluating puppet for use in our server environment (2+
> physical machines and something over a dozen xen instances). I want to use
> it mainly for managing the ssh keys and creating and maintaining accounts
> for the developers and admins (which work in like 3 groups). So i got three
> groups of users (admin, test, production) or something.
[...]
> I read up on user and group creation and ssh key distribution. The only
> thing i cant wrap my head around is how i should handle passwords.
I would strongly advise that you deploy an LDAP backed PAM and NSS system,
rather than trying to do all this locally. While it introduces another
dependency into your boot process and network, it substantially reduces the
complexity of doing all this.
> Until the point where sudo comes in I wont need any passwords at all in
> everyday use but allowing the users to simply sudo without a password seems
> a bit strange to me.
It would not fit our business security requirements, but it might fit yours,
and is certainly the simplest option.
> So the users would need a password. Or I could simply allow root login to
> our dev/test/ production machines from login.example.com thus eliminating
> the need for sudo and the passwords.
Bad idea: shared accounts always lead to trouble, even if it is only the
trouble of having to distribute the password when someone goes to work for the
competition. ;
> Is that possible to do with puppet or have I any weird ideas in there?
> I'm open for suggestions.
The only local password distribution model I have ever seen work was where you
changed the password on the master system, then distributed the changed hash
to all the client machines.
In the puppet world that would mean "on the puppetmaster", and "reading
/etc/shadow somehow".
Don't do that though.
Daniel
--
✣ Daniel Pittman ✉ dan...@rimspace.net ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
