On Mon, May 12, 2014 at 6:22 PM, Dmitri Pal <d...@redhat.com> wrote: > On 05/12/2014 06:07 PM, James wrote: >> >> On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote: >>> >>> Is there any other attribute to look at? >>> For example the timestamp when it was last set and base the update on >>> that rather than on matching password values? >>> >> There are some other solutions, but they are less elegant or don't work >> consistently. (Eg: bad hacks) >> >> > I would argue that comparing hashes is the worst hack ever. > Can you create a file once you set a password to indicate that password is > set? Not possible...
> > Bottom line - I do not like the approach you are trying to implement and I > do not want you to find a way to solve this problem by comparing hashes. It > is not a good security hygiene. I would rather suggest patches to puppet to > address the issue properly than aid you on this path. I think you are missing the point... It is a bit subtle. Puppet is weird :) Here's what I'll do. I'll finish my other password related work, and then I'll post back with my complete feature branch minus the missing commands that I'm hoping to learn from the ML. I think you'll realize what I'm doing makes a lot of sense. I think you'll also soon agree that I have the only puppet module out there that is managing passwords responsibly. The status quo is that people are storing cleartext passwords _in puppet! tsk tsk. In any case, since when did a project stop it's users from shooting themselves in the foot if they thought that was right? Cheers, James > > Sorry ;-) _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
