[Mageia-sysadm] passwords in puppet
Michael Scherer
misc at zarb.org
Mon Jan 24 09:42:43 CET 2011
Le lundi 24 janvier 2011 à 09:28 +0100, nicolas vigier a écrit :
> Hello,
>
> We are using this ruby module to save passwords used by puppet in a csv
> file :
> http://www.devco.net/code/extlookup.rb
> and manifests/extlookup.pp in our puppet config.
>
> And we are saving all passwords in this file on valstar :
> /etc/puppet/extdata/common.csv
>
> As I don't know exactly how puppet and puppet master are working, I am
> wondering if access to any password from this file is possible from any
> node (if someone can modify puppet config on this node). This could be
> a problem if we start to manage with our puppet server some less trusted
> servers. Or if someone getting root access on only one of the server
> can access all the passwords.
>From puppet, someone being root on a server with puppet just get the
configuration for this server ( that's the beauty of the pull model ).
On the puppet master, on the other hand, it can go root everywhere.
--
Michael Scherer
More information about the Mageia-sysadm
mailing list