How to keep from resetting user password


#1

I want to use chef to maintain users with a default password while allowing the
user to change their password. Each time I rerun chef-client, the user’s
password gets reset. Is there a way I can keep it from resetting back to the
default? I’m thinking about only adding the password param if the entry isn’t
already in /etc/passwd but it seems like there should be an easier way?


#2

write a script or web interface that stores the password hashes in a databag
on the chef server for the users who changed their password and then pull
that new hash value into your cookbook. this is currently how I did it, not
sure if it’s the best way but it works.

–sahil

On Sat, Sep 25, 2010 at 11:47 AM, bpardee@clarityservices.com wrote:

I want to use chef to maintain users with a default password while allowing
the
user to change their password. Each time I rerun chef-client, the user’s
password gets reset. Is there a way I can keep it from resetting back to
the
default? I’m thinking about only adding the password param if the entry
isn’t
already in /etc/passwd but it seems like there should be an easier way?


#3

Is there a particular reason to have user passwords set?

I recommend not setting user passwords on the user definitions, only
allow login via ssh with keys, and set sudo up for users that need
root access with “NOPASSWD”.

This is consistent with recommendations from security experts such as
SANS Institute, too :).

On Sat, Sep 25, 2010 at 12:47 PM, bpardee@clarityservices.com wrote:

I want to use chef to maintain users with a default password while allowing the
user to change their password. Each time I rerun chef-client, the user’s
password gets reset. Is there a way I can keep it from resetting back to the
default? I’m thinking about only adding the password param if the entry isn’t
already in /etc/passwd but it seems like there should be an easier way?


Opscode, Inc
Joshua Timberman, Senior Solutions Engineer
C: 720.878.4322 E: joshua@opscode.com


#4

I like it that way too :).
–sahil

On Sat, Sep 25, 2010 at 12:08 PM, Joshua Timberman joshua@opscode.comwrote:

Is there a particular reason to have user passwords set?

I recommend not setting user passwords on the user definitions, only
allow login via ssh with keys, and set sudo up for users that need
root access with “NOPASSWD”.

This is consistent with recommendations from security experts such as
SANS Institute, too :).

On Sat, Sep 25, 2010 at 12:47 PM, bpardee@clarityservices.com wrote:

I want to use chef to maintain users with a default password while
allowing the
user to change their password. Each time I rerun chef-client, the user’s
password gets reset. Is there a way I can keep it from resetting back to
the
default? I’m thinking about only adding the password param if the entry
isn’t
already in /etc/passwd but it seems like there should be an easier way?


Opscode, Inc
Joshua Timberman, Senior Solutions Engineer
C: 720.878.4322 E: joshua@opscode.com


#5

Non-technical users just using the machine for sftp uploads.

I think I solved my problem by adding a getpwnam check:

password params[:password].crypt(params[:password]) if params[:password] && Etc.getpwnam(params[:name]).nil?

On Sep 25, 2010, at 3:08 PM, Joshua Timberman wrote:

Is there a particular reason to have user passwords set?

I recommend not setting user passwords on the user definitions, only
allow login via ssh with keys, and set sudo up for users that need
root access with “NOPASSWD”.

This is consistent with recommendations from security experts such as
SANS Institute, too :).

On Sat, Sep 25, 2010 at 12:47 PM, bpardee@clarityservices.com wrote:

I want to use chef to maintain users with a default password while allowing the
user to change their password. Each time I rerun chef-client, the user’s
password gets reset. Is there a way I can keep it from resetting back to the
default? I’m thinking about only adding the password param if the entry isn’t
already in /etc/passwd but it seems like there should be an easier way?


Opscode, Inc
Joshua Timberman, Senior Solutions Engineer
C: 720.878.4322 E: joshua@opscode.com