On Thu, Jun 21, 2012 at 02:29:50AM -0700, Marshie8 wrote: > Hi guys, > > Just started to look at Puppet. > > Is there a way I can have a user log into a Puppet Server box, and change > their own password? Wondered if there was a script out there already that > monitored for changes to the /etc/passwd and /etc/shadow entry for the user > and extract the string to populate it to all Puppet clients. > > We plan to implement LDAP but that's a little way off, I just need an easy > way in the meantime to keep my clients up to date with local accounts. > > Thanks > > Mark
This could be done by having a custom fact that exports the value of the hash back to the master, but this would be best only running on one single box, which would be the 'password changing box'. IMO, passing hashes around like this would not be a great idea from a security perspective, nor particularly scalable. Something along the lines of https://github.com/crayfishx/hiera-gpg and a script to make usage of GPG's multi-key encryption may be better - where the YAML file for a user definition that contains the hash is encrypted both with both hiera's key and the users GPG key, thus allowing for users to set their password, and for hiera to decrypt the hash, but you may find that your time is better spent getting LDAP up and running.. Dependent on how your infrastructure is setup, and where/how you're actually using passwords, it may be better to make use of SSH keys (which puppet can manage) and set local user accounts on servers to random, unknown passwords that are never actually used. See http://docs.puppetlabs.com/references/2.7.0/type.html#user for more infos on the user type. Cheers, -- Richard Clark rich...@fohnet.co.uk -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
