I've created a Puppet module which will check a specified user for
password age, and if it is older than a specified amount, then it will
first generate a random password, change the user's password to this,
and will then update (or create) the stored password as held in the
Secret Server application (via the SecretServer API) -- see
http://www.thycotic.com/ . This means that we don't need to allow
SecretServer to log in remotely as root to do the job itself, and we
can receive notification (via Puppet reports) when this has been done.
So far this only works for Linux but it should be simple to make it
work for other OS.
Usage is:
password { 'user': age=>30, username=>'user' }
with both parameters optional. We will use this to autorotate
passwords on non-user accounts (root, oracle) since account expiry
causes crontabs to stop working and we cannot lock the accounts or
disable expiry due to functionality and security requirements.
Is anyone already using SecretServer interested in testing a copy?
There are a couple of caveats with it but things are looking good so
far.
Steve
________________________________________
Steve Shipway
[email protected]
Routers2.cgi web frontend for MRTG/RRD; NagEventLog Nagios agent for
Windows Event Log monitoring; check_vmware plugin for VMWare
monitoring in Nagios and MRTG; and other Open Source projects.
Web: http://www.steveshipway.org/software
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
