On Fri, Oct 17, 2008 at 9:27 AM, Luke Kanies <[EMAIL PROTECTED]> wrote:
> Huh. I had no idea that netinfo and directoryservice managed clear-
> text passwords. I knew ldap could, but you can also specify a hash as
> long as you include the hashing method, e.g., '{md5}asdfweqradfs'.
> Not consistent behaviour with useradd, I know, but you're kind of
> stuck there anyway since lots of *nix platforms don't support the same
> hashing functions anyway.
Yep.
> I don't think Puppet should ever use clear-text passwords, really. It
> puts a bit more of a burden on the user, but it takes a significant
> security burden off of Puppet.
I'm glad you feel that way, and I think it's absolutely the correct approach.
>
> If you must have clear-text passwords, I'd either recommend a
> different attribute, or recommend following the ldap method -- if the
> password doesn't have a hash method specified in braces, then it's
> cleartext, otherwise it's hashed as specified. This would allow some
> ability to handle cross-platform support -- a given provider might
> know which platforms support which hash methods, so it could either
> fail intelligently, or choose from a list of provided hash
> mechanisms. Of course, that starts to suck as you increase the number
> of hashed passwords, such that you want cleartext passwords and have
> Puppet hash for you, but...
ok. So in that case, I might poll the puppet-users list to see who is
currently using clear text passwords with directoryservice, as netinfo
really should be completely deprecated given that directoryservice can
handle all OS X netinfo stores.
I'd be perfectly happy for directoryservice to no longer use clear
text passwords at all myself. We could go and make a "{macshadow}"
prefix for OS X passwords I guess, but that seems a bit clunky.
I notice that a few people are using server-side generate functions
for hash generation, which is another option.
Perhaps that's the better approach to take, in that we provide some
generate functions on the puppet wiki (or in the distro) for the
various password hash types.
--
Nigel Kersten
Systems Administrator
Tech Lead - MacOps
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
