On 05/12/2014 10:37 PM, James wrote:
On Mon, May 12, 2014 at 6:22 PM, Dmitri Pal <d...@redhat.com> wrote:
On 05/12/2014 06:07 PM, James wrote:
On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
Is there any other attribute to look at?
For example the timestamp when it was last set and base the update on
that rather than on matching password values?

There are some other solutions, but they are less elegant or don't work
consistently. (Eg: bad hacks)

I would argue that comparing hashes is the worst hack ever.
Can you create a file once you set a password to indicate that password is
Not possible...

Bottom line - I do not like the approach you are trying to implement and I
do not want you to find a way to solve this problem by comparing hashes. It
is not a good security hygiene. I would rather suggest patches to puppet to
address the issue properly than aid you on this path.
I think you are missing the point... It is a bit subtle. Puppet is
weird :) Here's what I'll do. I'll finish my other password related
work, and then I'll post back with my complete feature branch minus
the missing commands that I'm hoping to learn from the ML.

I think you'll realize what I'm doing makes a lot of sense. I think
you'll also soon agree that I have the only puppet module out there
that is managing passwords responsibly. The status quo is that people
are storing cleartext passwords _in puppet!

This is their problem. Why would we aid them to do wrong things and make it easier?
I really miss the point. Why it is all needed?
Why do you need to reset passwords in IPA through puppet?
What is the use case?

  tsk tsk. In any case,
since when did a project stop it's users from shooting themselves in
the foot if they thought that was right?


Sorry ;-)

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Freeipa-devel mailing list

Reply via email to