On 12 December 2012 11:58, Jakov Sosic <[email protected]> wrote: > On 12/10/2012 04:47 PM, jcbollinger wrote: > > There are good, industry-standard approaches to centralized password >> management. You should really choose among those instead of rolling >> your own. One of the best-regarded is LDAP, and you could also consider >> NIS (just to name two). The former is more secure, but the latter is >> very easy to set up. >> > > Judging that the current solution stores passwords in /etc/shadow, I > assume that these passwords are for ssh only, and if that's the case the > easiest and most secure way would be to enforce ssh key logins, and > distribute keys instead of passwords. Public keys could be updated without > granting access to puppet master. > > If that's not the case, then LDAP is a way to go.
I was managing my users with puppet but I decided it wasn't the best way to do it. I recently setup a FreeIPA server to use for authentication and authorization. It can also be used to auth ssh logins with keys. I need to write some modules to manage setting it up on a node with puppet but it's looking like the best option for what I need. It's seems to have similar functionality too Active Directory and can even sync with it. -- > Jakov Sosic > www.srce.unizg.hr > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to puppet-users+unsubscribe@** > googlegroups.com <puppet-users%[email protected]>. > For more options, visit this group at http://groups.google.com/** > group/puppet-users?hl=en<http://groups.google.com/group/puppet-users?hl=en> > . > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
