Sam Rowe wrote:
> We use a script like this, but we make it a Custom 404 in Apache. When
> a machine installs, it requests its keys and if they don't exist the
> 404 handler gets called. It then creates the key and spits it out as
> if it had been there the whole time.
>
I'm curious, how do you
Couple of minor revisions.
1) Thank you Ohad Levy for the original cgi script. Sorry about not
giving you credit.
2) if [ '$NVRAM' == 'no' ]; then
should be
if [ "$NVRAM" == 'no' ]; then
---
Thanks,
Allan Marcus
505-667-5666
On Jul 9, 2009, at 7:12 PM, Allan Marcus wrote:
>
> Putting it
Absolutely. Here is my startup script that sets the hostname of the computer
each time it starts up:
scutil --set HostName `system_profiler SPHardwareDataType | grep "Serial
Number:" | cut -d':' -f2 | tr "[:upper:]" "[:lower:]"`
scutil --set ComputerName `system_profiler SPHardwareDataType | grep
On Fri, Jul 10, 2009 at 7:32 AM, Kurt Engle wrote:
> This is fantastic. I think something like this will be very useful in
> managing a large number of Macintosh clients. It is certainly the help and
> outcome that I was looking for when I started this thread. A big "Thank You"
> to Allan and ever
This is fantastic. I think something like this will be very useful in
managing a large number of Macintosh clients. It is certainly the help and
outcome that I was looking for when I started this thread. A big "Thank You"
to Allan and everyone else that contributed.
I took a little different but s
Putting it all together, here's what I have for cert management on Macs.
1) A launchd job to launch puppet every hour
2) a script on the client to determine a unique attribute of the Mac
and use it for cert name
3) a CGI on the server to clean a cert if the machine was re-imaged
3a) note: alter
certname in puppet have to be lowercase, that was probably your issue.
Here's the script I'm going to use to execute puppet on my macs. I
will have a launchd job that executes the script every hour. You might
be able to extract what you need from this script
---
Thanks,
Allan Marcus
505-667
The code is incredibly insecure. All a bad guy has to do is add
%3becho%20test%20%3E%20/tmp/test
to the url and a file call test is written to the /tmp. Of course a
really bad guy would know how to exploit a system call in a CGi much
better than me.
My ruby is very very limited, so if you c
Allan, thanks for all your help and suggestions with Mac scripts. I am
getting closer to the configuration that I want. Thanks for the 'lingon'
suggestion, makes life easier.
I would like to force puppetd into using the hostname of the client device
when requesting a cert from the puppetmaster. Is
On Fri, Jul 3, 2009 at 9:12 AM, Gary Larizza wrote:
>
> I love where this thread is going, I too share in this problem.
>
> Kurt: Puppet is still being run on the client because the client is
> using a cached config (am I right on this guys?).
>
> I love the scripted ssh key, but ALSO love the PH
On Thu, Jul 9, 2009 at 4:18 AM, Kurt Engle wrote:
> So are you wanting the cert cleaning and creation to happen everytime a
> client contacts the puppetmaster?
>
> What I am looking for is a script that will run on a newly imaged client
> that run at bootup before the puppetd process is started.
generally speaking, here's how you get a script to run at start up on
the mac.
sudo vi /Library/LaunchDaemons/MyStartUpScript.plist
paste in the following:
http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
Label
com.mycompany.MyStartUpScript
Nice
20
ug, can't type.
I tried to say that I am _now_ thinking of using the fqdn name switch,
but a I look into it more, I think the --certname switch will work.
here's my plan: I will have a launchd job run a script every hour. The
script will simply do something like this (this is logical, so ign
Sorry, i didn't mean the db for store configs. My issue with use FQDN
is for machines that use dhcp and might not have the same host name,
and when building a machine behind a router, in which case more than
one machine might have the same host name.
I'm not thinking of using the --fqdn swi
As I understand it, if the client has a new set of certs, when the
client talks to the server the server will reject the client since the
certs on the client don't match what the server signed. The answer
when the client has a new set of certs is to run a puppetca --clean
on the server (a
So are you wanting the cert cleaning and creation to happen everytime a
client contacts the puppetmaster?
What I am looking for is a script that will run on a newly imaged client
that run at bootup before the puppetd process is started. That script would
delete any cert on the puppetmaster and the
ok, makes sense. If I did this, would I need the -S in the sudo command?
---
Thanks,
Allan Marcus
505-667-5666
On Jul 6, 2009, at 8:41 AM, Ohad Levy wrote:
>
> cgi runs with the user which runs the web server, so for example if
> you use apache, give sudo rights to apache account to execute
cgi runs with the user which runs the web server, so for example if
you use apache, give sudo rights to apache account to execute
puppetca.
Ohad
On 7/6/09, Allan Marcus wrote:
>
> How does the cgi script execute a sudo?
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
>
>
> On Jul 3, 2009,
How does the cgi script execute a sudo?
---
Thanks,
Allan Marcus
505-667-5666
On Jul 3, 2009, at 11:10 PM, Ohad Levy wrote:
> here you go, its fetched from a much bigger website, so I didnt
> really test it, but worth a shot :)
>
> http://gist.github.com/140457
>
> cheers,
> Ohad
>
> On Fr
here you go, its fetched from a much bigger website, so I didnt really test
it, but worth a shot :)
http://gist.github.com/140457
cheers,
Ohad
On Fri, Jul 3, 2009 at 9:12 PM, Gary Larizza wrote:
>
> I love where this thread is going, I too share in this problem.
>
> Kurt: Puppet is still bein
On Jul 3, 12:51 pm, Christopher Webber wrote:
> I am currently working on doing a very similar thing with kickstart.
> There are two ways you can deal with the hostname... have PHP do an
> nslookup for the ipaddress that is connecting (prefered for security
> reasons), or just pass it as
I am currently working on doing a very similar thing with kickstart.
There are two ways you can deal with the hostname... have PHP do an
nslookup for the ipaddress that is connecting (prefered for security
reasons), or just pass it as an argument to the PHP script.
Chris
On Jul 3, 2009, at
Gary Larizza wrote:
> I love where this thread is going, I too share in this problem.
>
> Kurt: Puppet is still being run on the client because the client is
> using a cached config (am I right on this guys?).
>
> I love the scripted ssh key, but ALSO love the PHP script that could
> be CURL-ed
I love where this thread is going, I too share in this problem.
Kurt: Puppet is still being run on the client because the client is
using a cached config (am I right on this guys?).
I love the scripted ssh key, but ALSO love the PHP script that could
be CURL-ed from the client. Will a PHP scri
On Thu, Jul 2, 2009 at 1:29 PM, Allan Marcus wrote:
> from what I can tell, this is almost a great idea, except that by
> using the command="/usr/sbin/puppetca", we would be ignoring any
> command passed to the ssh session. The best I can figure there would
> be no way to restrict the ssh session
from what I can tell, this is almost a great idea, except that by
using the command="/usr/sbin/puppetca", we would be ignoring any
command passed to the ssh session. The best I can figure there would
be no way to restrict the ssh session to just the puppetca command and
pass the certname t
What about just running a "puppetca --clean --all" every night? Not
pretty, but would it work?
-Allan
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to pupp
nice!
Would this directive also stop scp, sftp, or anything else I can't
think of?
---
Thanks,
Allan Marcus
505-667-5666
On Jul 2, 2009, at 10:24 AM, Michael Semcheski wrote:
>
> On Thu, Jul 2, 2009 at 12:21 PM, Allan Marcus wrote:
>> Would I need to write a bunch of fugly stuff in my ssh
On Thu, Jul 2, 2009 at 12:21 PM, Allan Marcus wrote:
> Would I need to write a bunch of fugly stuff in my sshd_config to
> limit what the puppet user can do via the ssh command? any examples?
You put the client's key in /root/.ssh/authorized_keys. All you need
to do is prepend this to it:
comma
It appears the ssh keys would have to be for the puppet user on the
puppetmasterd server. How can I be assured that the key is not used
for evil?
Would I need to write a bunch of fugly stuff in my sshd_config to
limit what the puppet user can do via the ssh command? any examples?
---
Thank
Well, the suggestion to have the client do it via a SSH command is a good
one and is working for me. Thanks to Michael and Nigel for pointing me in
this direction. I just need to formalize the process in my environment.
However (there is always a however). I am still a little shaky on the whole
ce
I'm about to deal with the same issue. This certainly isn't a Mac only
issue.
The way I see it a "puppetca --clean needs to be
executed on the server.
I figure either a puppet admin has to do it, which it labor intensive,
or a script can do it. I haven't figured out a way for the script t
On Wed, Jul 1, 2009 at 12:02 PM, Kurt Engle wrote:
> Wouldn't I achieve the same outcome with using a single cert for all
> machines without the need for special scripts to delete certs from the
> server and delete files from the client? Also, with respect to autosign...
> would I really be able t
On Wed, Jul 1, 2009 at 9:02 AM, Kurt Engle wrote:
> Thanks for the suggestions.
>
> Wouldn't I achieve the same outcome with using a single cert for all
> machines without the need for special scripts to delete certs from the
> server and delete files from the client?
I like being able to still r
Thanks for the suggestions.
Wouldn't I achieve the same outcome with using a single cert for all
machines without the need for special scripts to delete certs from the
server and delete files from the client? Also, with respect to autosign...
would I really be able to turn it off using the SSH met
On Tue, Jun 30, 2009 at 4:32 PM, Michael Semcheski wrote:
>
> On Tue, Jun 30, 2009 at 6:36 PM, Kurt Engle wrote:
>> Our imaging process takes an OS base image with a few apps that include
>> Puppet and Facter and installs it on the make. This over the network. When
>> the Mac reboots it sets the h
On Tue, Jun 30, 2009 at 6:36 PM, Kurt Engle wrote:
> Our imaging process takes an OS base image with a few apps that include
> Puppet and Facter and installs it on the make. This over the network. When
> the Mac reboots it sets the hostname of the computer to the Mac's serial
> number and auto sta
Nigel, part of the problem is that I do not have a good understanding of
what happens during the whole cert process and what will break or make a
trust between the client and the server.
Our imaging process takes an OS base image with a few apps that include
Puppet and Facter and installs it on th
On Tue, Jun 30, 2009 at 3:19 PM, Kurt Engle wrote:
> Pre-generating all the certs would be very time consuming with hundreds of
> machines to deal with. Also, we would need to create a specific image for
> each machine which would be an even bigger nightmare from my understanding.
No. I'm suggest
Pre-generating all the certs would be very time consuming with hundreds of
machines to deal with. Also, we would need to create a specific image for
each machine which would be an even bigger nightmare from my understanding.
We used the serial number as the hostname since the serial number on the
On Tue, Jun 30, 2009 at 2:03 PM, engle wrote:
>
> Well, that is what we are doing right now. However, when dealing with
> potentially hundred of machines, this gets a little awkward and
> unmanageable. We are a school district and spend most of the summer
> imaging hundreds of Macs. This is the ca
Well, that is what we are doing right now. However, when dealing with
potentially hundred of machines, this gets a little awkward and
unmanageable. We are a school district and spend most of the summer
imaging hundreds of Macs. This is the case every summer. As these
machines change their function
On 6/30/2009 1:26 PM, engle wrote:
> So, would it be best to use a single cert for all of the clients or is
> there a better way to deal with this sort of setup?
Run
puppetca --clean host.to.be.imaged
on the puppetmaster as it's being imaged? If you're doing the reimaging,
should just be o
43 matches
Mail list logo
