I have been asked to set password for a user so it is unique on every
single host we support. I have a script that generates the password and I
had pulled it in via a generate call. The scripts takes in two of facter
values to be used to aid in generating the password.
$myvar = generate("/bin/sh","myscript.sh"."value1","value2")
user { 'bob':
password => "${myvar}",
}
This value is coming in as expected. When I pass it to the password => block
it gets set as expected. Cool, but then it isn't.
Each time puppet runs for the host, it keeps changing the user's password
hash even though the hash from the script is the same as that on the host.
Even that could be acceptable, except, these hosts are audited for password
changes. Root being shown as updated every puppet run fails the audit.
When I define it as a static hash aka '$1$salt$ab12k3oa01ksf01810' it
doesn't keep resetting the password
Notice: Local environment: 'production' doesn't match server specified node
environment 'passfix', switching agent to 'passfix'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for tlistmrrh511.myhost.net
Info: Applying configuration version '1539886469'
*Notice: /Stage[main]/Users::mypassword/User[bob]/password: created
password*
Notice: Applied catalog in 4.52 seconds
[root@tlistmrrh511 ~]#
[root@tlistmrrh511 ~]# puppet agent -tv
Notice: Local environment: 'production' doesn't match server specified node
environment 'passfix', switching agent to 'passfix'.
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Info: Caching catalog for tlistmrrh511.myhost.net
Info: Applying configuration version '1539886484'
*Notice: /Stage[main]/Users::myassword/User[bob]/password: created password*
Notice: Applied catalog in 4.36 seconds
I have tried a number of ways to get this work inside puppet without using
exec. Searching on this came up with creating custom facts to get the hash
or hierra, which we don't use, to do this step. Having user hashes
available as a fact won't pass an audit either. Basically this all needs to
happen on the Puppet master and be pushed to all clients.
It seems that Puppet has a way to compare the old has with the new one when
the hash is put between ' ', but I'm passing in a var.
I don't see any indication of why it is failing the comparrison. I have
even set passwd => generate(... and it behaves the same way.
What am I doing wrong here? It is quite frustrating.
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/4bc322cd-c3bc-44fa-9c6a-1ccd6a778b81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
