Issue #13026 has been updated by Sean Millichamp.
I have a lot of interest in this. We are looking at using a custom Puppet
parser function in coordination with our password vault's API to coordinate
automated password updates of generic local accounts. On Linux it looks like we
should be able to do this fairly effectively by hashing what the password vault
returns in the parser function. If we rotate it often enough then the presence
of the hash in the catalog and reports, etc. is a non-concern.
I have only just started playing with the password vault's API and have no real
code yet, but I envision the manifest would look something like:
<pre>
user { 'root':
password => password_vault($hostname, 'sha512')
}
</pre>
(As an aside: It would generate a salt likely based on the combination of
something "random" but fixed for a given host/password similar to the fqdn_rand
function so that for a given password we won't end up with a new hash each
puppet run)
This would potentially be a "killer feature" for us on Windows too, but having
the clear-text password be visible would make it a non-starter. We could maybe
even cope with it in the catalog, as long as the catalog was restricted so that
only administrators on the system could see the catalog (you don't get to see
the password unless you already have rights for it). However, showing the
password in the reports would make the Puppet Enterprise Console immediately
useless.
----------------------------------------
Feature #13026: Manage user passwords on Windows without passing clear-text
passwords in manifests/catalogs/reports
https://projects.puppetlabs.com/issues/13026#change-61594
Author: Nigel Kersten
Status: Investigating
Priority: Normal
Assignee:
Category: windows
Target version:
Affected Puppet version:
Keywords: windows user password
Branch:
We don't currently know how to do this.
With the user resource type on Windows, the only ability we have to manage
passwords for local users is to pass a clear-text password in the manifests,
which will show up in catalogs and reports.
Unlike our other supported operating systems, we have no ability to just manage
the hash of the password on Windows, and have not found any APIs which allow us
to do so.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
