I've created a Puppet module which will check a specified user for password
age, and if it is older than a specified amount, then it will first generate
a random password, change the user's password to this, and will then update
(or create) the stored password as held in the Secret Server application
(via the SecretServer API) -- see http://www.thycotic.com/ . This means
that we don't need to allow SecretServer to log in remotely as root to do
the job itself, and we can receive notification (via Puppet reports) when
this has been done.
So far this only works for Linux but it should be simple to make it work for
other OS.
Usage is:
password { 'user': age=>30, username=>'user' }
with both parameters optional. We will use this to autorotate passwords on
non-user accounts (root, oracle) since account expiry causes crontabs to
stop working and we cannot lock the accounts or disable expiry due to
functionality and security requirements.
Is anyone already using SecretServer interested in testing a copy? There
are a couple of caveats with it but things are looking good so far.
Steve
_____
Steve Shipway
st...@steveshipway.org
Routers2.cgi web frontend for MRTG/RRD; NagEventLog Nagios agent for Windows
Event Log monitoring; check_vmware plugin for VMWare monitoring in Nagios
and MRTG; and other Open Source projects.
Web: http://www.steveshipway.org/software
P Please consider the environment before printing this e-mail
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
