Chad Huneycutt wrote: > I am not sure everyone is on the same page: > > 1. you don't want to have the root password (encrypted or not) showing > up in the process listing of your clients.
Well, this is a policy/philosophy issue. The question is "what is an acceptable risk for your environment?" Is it okay to have the root password managed by puppet? Should puppet manage any users password? If the answer to that question is "puppet should in no way manage a password" because that password is stored on disk and potentially displayed in the process list or in a yaml file, then really you've deleted this thread and moved on :) I absolutely agree there are other and better ways to manage the root password. Heck disable the root account in its entirety and create a proper process and policy to grant access if an SA or data center support individual who might need access. Or build your environment with enough redundancy so that if a machine begins to fail it is easier to just completely reinstall instead of diagnosing a dead machine and never login as root. > 2. even if you are generating the password on the master, it is going > to show up in the yaml on the client, and if that is the case, it > would seem to me that puppet's "user" type would be a much more > logical and explicit place to set it. Doesn't the users password still exist under the user type params in localconfig.yaml? Not really that more secure. > If you want puppet to manage the password, I don't think it gets any > more secure than the user type. I guess if you had multiple admins > writing manifests, and you were trying to prevent them from seeing the > encrypted string, you could store it in a file that the puppetmaster > could read (and they could not), distribute that file via the file > type, and then use something like chpasswd to read the file, but > that's really only more obscure rather than secure (the manifest > writer could just pull down the file and chown it to themselves...). Again, this is a matter of policy, process or philosophy and what is best for your environment. Cheers, Ryan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
