On Monday, December 10, 2012 2:49:10 AM UTC-6, SAF wrote: > > > Do you happen to know with what user do the scripts get executed on the > master? I it's not root, i might have to stick some sudos in there. > > Functions are evaluated as a normal part of the puppet master's execution, thus they run as whatever user the master runs as. In most setups that is a non-privileged user, without access to the contents of /etc/shadow.
You should think long and hard before granting the master elevated privileges. I would not do it myself. In fact, I would recommend against your whole concept for password management. It requires you to weaken your security not only by granting extra privileges to the master, but also -- much worse -- by granting your users login privileges on the puppet master server. Furthermore, password updates under your scheme would not be synchronous or even coordinated across hosts. For each other system he wants to log in to, the user would have to wait some unknown time for that system to perform a successful Puppet run before his password changes there, and there will be a period during which his password is different on some nodes than on others. There are good, industry-standard approaches to centralized password management. You should really choose among those instead of rolling your own. One of the best-regarded is LDAP, and you could also consider NIS (just to name two). The former is more secure, but the latter is very easy to set up. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/cFPmN4xQxeMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.