Forum: Cfengine Help
Subject: Re: Managing user accounts with Cfengine 3
Author: sauer
Link to topic: https://cfengine.com/forum/read.php?3,20993,20997#msg-20997
Pretty much any Unix system using shadow passwords will take strings encrypted
with
perl -le 'print crypt( $ENV{q{PASS}}, join q{}, (0..9, 'A'..'Z', 'a'..'z') )'
or
perl -le 'print crypt( $ENV{q{PASS}}, $ENV{q{SALT}} )'
You could pretty easily have the passwords in plain text in the master userlist
file, and filter them through that one-liner to encrypt them in the method.
Note: I prefer to use an environment variable to pass the password in ($PASS in
this example) so it's not visible in the process table. Command line arguments
are A Bad Thing.
The limitation to using this mechanism is mainly that only the first 8
characters of the password are significant using DES crypt, but then, doing the
md5 thing's marginally more difficult. :) The other limitation is that that
first option would be non-convergent, because you're using a random salt. You
could get around that problem by using something predictable -- like a couple
of characters from the username -- as the salt. That would be about as good as
random salt (as long as you choose two letters which actually vary in
usernames). Pulling two chars from the username and passing those into the
perl one-liner is a pretty trivial task. It doesn't particularly hurt
security, as varying the salt is pretty much only to make the shadow file
harder to crack all at once - you generally don't want to use the same salt
through the whole shadow file. Never mind that, if untrusted individuals have
access to your shadow file, you're in a world of hurt anyway.
Personally, I'm pre-calculating the appropriate encrypted strings for each
platform we support, and selecting the right one per-system based on the OS
class. But I only care about Unix, and I'm using a moderately complicated
script / interface to manage the information; it'd be a royal pain to keep that
all in sync by hand. Your mileage may vary.
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
