Managing passwords on multiple webapp/users creation


#1

Hello everyone,

I would like to know if anyone has already managed to deploy multiple
users/webapps on servers via CHEF and, therefore, how they’ve managed
password generation and storage.

I’ve actually written a recipe which creates users and deploy a webapp for
each of them, by reading a databag. I’m generating the password during
user’s creation and storing the password in the original databag. Of course,
this method is completely insecure.

I’ve tried to use encrypted databags but this kind of databag can’t be
written by a recipe, only read. BTW, SSH keys wouldn’t be of any help
because there are too many persons who would have to integrate these keys on
their machines.

Thanks in advance for any help.

Regards,

Philippe Bérard
Responsable informatique

Tel : +33 (0)1 39 23 31 17
Mob : +33 (0)6 01 27 87 86
Fax : +33 (0)1 39 55 47 56

58, Rue Pottier
78150 Le Chesnay
http://www.jalios.com www.jalios.com

JALIOS

P Afin de contribuer au respect de l’environnement, merci de n’imprimer ce
message qu’en cas de nécessité.


#2

Depending on the app many support LDAP either directly or via HTTP authentication + mod_authnz_ldap (or similar for non-apache servers). That is usually your best bet for centralized auth in various web apps and also works nicely for ssh users.

–Noah

On Jan 4, 2013, at 1:57 AM, Philippe Bérard wrote:

Hello everyone,

I would like to know if anyone has already managed to deploy multiple users/webapps on servers via CHEF and, therefore, how they’ve managed password generation and storage.

I’ve actually written a recipe which creates users and deploy a webapp for each of them, by reading a databag. I’m generating the password during user’s creation and storing the password in the original databag. Of course, this method is completely insecure.

I’ve tried to use encrypted databags but this kind of databag can’t be written by a recipe, only read. BTW, SSH keys wouldn’t be of any help because there are too many persons who would have to integrate these keys on their machines.

Thanks in advance for any help.

Regards,

Philippe Bérard
Responsable informatique
Tel : +33 (0)1 39 23 31 17
Mob : +33 (0)6 01 27 87 86
Fax : +33 (0)1 39 55 47 56
58, Rue Pottier
78150 Le Chesnay
www.jalios.com
<image001.gif>
P Afin de contribuer au respect de l’environnement, merci de n’imprimer ce message qu’en cas de nécessité.


#3

Hello Philippe

My reply probably isn’t very helpful, as I don’t see how you could securely store a password AND make it retrievable. Not unless you decrypt them with a master password or something…

BTW, SSH keys wouldn’t be of any help because there are too many persons who would have to integrate these keys on their machines.

Are you looking at this like you should? Users shouldn’t have to integrate keys. You shouldn’t have to create key pairs that go on the users’ machines. The users should give you their public keys which you can put (1 time only) in for example a databag. A key is personal and comes from the user, not from the app.

Kind Regards,
Steven

Op 4-jan.-2013, om 10:57 heeft Philippe Bérard philippe.berard@jalios.com het volgende geschreven:

Hello everyone,

I would like to know if anyone has already managed to deploy multiple users/webapps on servers via CHEF and, therefore, how they’ve managed password generation and storage.

I’ve actually written a recipe which creates users and deploy a webapp for each of them, by reading a databag. I’m generating the password during user’s creation and storing the password in the original databag. Of course, this method is completely insecure.

I’ve tried to use encrypted databags but this kind of databag can’t be written by a recipe, only read. BTW, SSH keys wouldn’t be of any help because there are too many persons who would have to integrate these keys on their machines.

Thanks in advance for any help.

Regards,

Philippe Bérard
Responsable informatique
Tel : +33 (0)1 39 23 31 17
Mob : +33 (0)6 01 27 87 86
Fax : +33 (0)1 39 55 47 56
58, Rue Pottier
78150 Le Chesnay
www.jalios.com
<image001.gif>
P Afin de contribuer au respect de l’environnement, merci de n’imprimer ce message qu’en cas de nécessité.


#4

I suspect he’s talking about managing a corporate IT installation where
the cost of training users how to use ssh keys is high. Even in a
smallish enterprise of a couple thousand users, its going to be easier
to have password-based auth than to try to train the 90% of the userbase
that is non-techncial or semi-technical up in the use of ssh keys. If
you’ve got a limited IT helpdesk staff that is already buckling under
the ticket load, then you’ll never manage to deploy ssh auth in a way
that will make your department look remotely competent. With a lot of
dev work you could probably setup a website that had client-side code
that configured the users machine and managed creating their ssh keys
and putting a passphrase on them, and then walked them through how to
use their passphrase to login to the servers, but there’s a
chicken-and-egg problem of being able to dig out from under a mess and
be able to take the time to write that kind of stuff, and a skills
problem in that anyone who could do that will flee from corporate IT
support…

On 1/5/13 2:46 AM, Steven De Coeyer wrote:

Hello Philippe

My reply probably isn’t very helpful, as I don’t see how you could
securely store a password AND make it retrievable. Not unless you
decrypt them with a master password or something…

BTW, SSH keys wouldn’t be of any help because there are too many
persons who would have to integrate these keys on their machines.

Are you looking at this like you should? Users shouldn’t have to
integrate keys. You shouldn’t have to create key pairs that go on the
users’ machines. The users should give you their public keys which you
can put (1 time only) in for example a databag. A key is personal and
comes from the user, not from the app.

Kind Regards,
Steven

Op 4-jan.-2013, om 10:57 heeft Philippe Bérard
<philippe.berard@jalios.com mailto:philippe.berard@jalios.com> het
volgende geschreven:

Hello everyone,
I would like to know if anyone has already managed to deploy multiple
users/webapps on servers via CHEF and, therefore, how they’ve managed
password generation and storage.
I’ve actually written a recipe which creates users and deploy a
webapp for each of them, by reading a databag. I’m generating the
password during user’s creation and storing the password in the
original databag. Of course, this method is completely insecure.
I’ve tried to use encrypted databags but this kind of databag can’t
be written by a recipe, only read. BTW, SSH keys wouldn’t be of any
help because there are too many persons who would have to integrate
these keys on their machines.
Thanks in advance for any help.
Regards,
Philippe Bérard
Responsable informatique
Tel : +33 (0)1 39 23 31 17
Mob : +33 (0)6 01 27 87 86
Fax : +33 (0)1 39 55 47 56
58, Rue Pottier
78150 Le Chesnay
www.jalios.com http://www.jalios.com

<image001.gif>

PAfin de contribuer au respect de l’environnement, merci de
n’imprimer ce message qu’en cas de nécessité.


#5

Thanks Steven, that may be the way to go.

As you stated at first, I would really like to store encrypted
passwords, with a main password only known by chosen users, in a
databag and be able to decode them when needed.

I’ve tried to store AES-256 passwords in databags but it results in
"bad request" errors, and encrypted databags are, sadly, read-only for
recipes.

Regards,

Philippe Bérard via Webmail

Quoting Steven De Coeyer steven@banteng.be:

Hello Philippe

My reply probably isn’t very helpful, as I don’t see how you could
securely store a password AND make it retrievable. Not unless you
decrypt them with a master password or something…

BTW, SSH keys wouldn’t be of any help because there are too many
persons who would have to integrate these keys on their machines.

Are you looking at this like you should? Users shouldn’t have to
integrate keys. You shouldn’t have to create key pairs that go on
the users’ machines. The users should give you their public keys
which you can put (1 time only) in for example a databag. A key is
personal and comes from the user, not from the app.

Kind Regards,
Steven

Op 4-jan.-2013, om 10:57 heeft Philippe Bérard
philippe.berard@jalios.com het volgende geschreven:

Hello everyone,

I would like to know if anyone has already managed to deploy
multiple users/webapps on servers via CHEF and, therefore, how
they’ve managed password generation and storage.

I’ve actually written a recipe which creates users and deploy a
webapp for each of them, by reading a databag. I’m generating the
password during user’s creation and storing the password in the
original databag. Of course, this method is completely insecure.

I’ve tried to use encrypted databags but this kind of databag can’t
be written by a recipe, only read. BTW, SSH keys wouldn’t be of
any help because there are too many persons who would have to
integrate these keys on their machines.

Thanks in advance for any help.

Regards,

Philippe Bérard
Responsable informatique
Tel : +33 (0)1 39 23 31 17
Mob : +33 (0)6 01 27 87 86
Fax : +33 (0)1 39 55 47 56
58, Rue Pottier
78150 Le Chesnay
www.jalios.com
<image001.gif>
P Afin de contribuer au respect de l’environnement, merci de
n’imprimer ce message qu’en cas de nécessité.


#6

Hello Lamont and thanks for trying to understand my need.

I would really like to know how people manage password creation,
encryption and storage when it comes to deploying webapps and/or VMs
for their clients…

Regards,

Philippe Bérard via Webmail

Quoting Lamont Granquist lamont@opscode.com:

I suspect he’s talking about managing a corporate IT installation where
the cost of training users how to use ssh keys is high. Even in a
smallish enterprise of a couple thousand users, its going to be easier
to have password-based auth than to try to train the 90% of the
userbase that is non-techncial or semi-technical up in the use of ssh
keys. If you’ve got a limited IT helpdesk staff that is already
buckling under the ticket load, then you’ll never manage to deploy ssh
auth in a way that will make your department look remotely competent.
With a lot of dev work you could probably setup a website that had
client-side code that configured the users machine and managed creating
their ssh keys and putting a passphrase on them, and then walked them
through how to use their passphrase to login to the servers, but
there’s a chicken-and-egg problem of being able to dig out from under a
mess and be able to take the time to write that kind of stuff, and a
skills problem in that anyone who could do that will flee from
corporate IT support…

On 1/5/13 2:46 AM, Steven De Coeyer wrote:

Hello Philippe

My reply probably isn’t very helpful, as I don’t see how you could
securely store a password AND make it retrievable. Not unless you
decrypt them with a master password or something…

BTW, SSH keys wouldn’t be of any help because there are too many
persons who would have to integrate these keys on their machines.

Are you looking at this like you should? Users shouldn’t have to
integrate keys. You shouldn’t have to create key pairs that go on
the users’ machines. The users should give you their public keys
which you can put (1 time only) in for example a databag. A key is
personal and comes from the user, not from the app.

Kind Regards,
Steven

Op 4-jan.-2013, om 10:57 heeft Philippe Bérard
<philippe.berard@jalios.com mailto:philippe.berard@jalios.com>
het volgende geschreven:

Hello everyone,
I would like to know if anyone has already managed to deploy
multiple users/webapps on servers via CHEF and, therefore, how
they’ve managed password generation and storage.
I’ve actually written a recipe which creates users and deploy a
webapp for each of them, by reading a databag. I’m generating the
password during user’s creation and storing the password in the
original databag. Of course, this method is completely insecure.
I’ve tried to use encrypted databags but this kind of databag
can’t be written by a recipe, only read. BTW, SSH keys wouldn’t be
of any help because there are too many persons who would have to
integrate these keys on their machines.
Thanks in advance for any help.
Regards,
Philippe Bérard
Responsable informatique
Tel : +33 (0)1 39 23 31 17
Mob : +33 (0)6 01 27 87 86
Fax : +33 (0)1 39 55 47 56
58, Rue Pottier
78150 Le Chesnay
www.jalios.com http://www.jalios.com

<image001.gif>

PAfin de contribuer au respect de l’environnement, merci de
n’imprimer ce message qu’en cas de nécessité.


#7

On Jan 4, 2013, at 1:57 AM, Philippe Bérard wrote:

I’ve tried to use encrypted databags but this kind of databag can’t be written by a recipe, only read.

I’m not sure that’s true. Encrypted data bags are regular data bags that the client treats specially to decrypt with a shared secret. If you have the shared secret, you can update/add entries and make the API call to save the data bag item.

So if the simple shared secret approach that encrypted data bags provides will work for you, I think you can teach your recipes to updates encrypted data bags.


#8

Hello Seth and thanks for your answer,

I’ve tried, maybe the wrong way, to write to encrypted databags, with no
success.

I’ll follow the instructions found here
(http://lusislog.blogspot.fr/2011/01/chef-and-encrypted-data-bags-revisted.h
tml) , though, and publish my findings if anyone’s interested.

Regards,

– Philippe Bérard

-----Message d’origine-----
De : Seth Falcon [mailto:seth@opscode.com]
Envoyé : lundi 7 janvier 2013 06:03
À : chef@lists.opscode.com
Objet : [chef] Re: Managing passwords on multiple webapp/users creation

On Jan 4, 2013, at 1:57 AM, Philippe Bérard wrote:

I’ve tried to use encrypted databags but this kind of databag can’t be
written by a recipe, only read.

I’m not sure that’s true. Encrypted data bags are regular data bags that the
client treats specially to decrypt with a shared secret. If you have the
shared secret, you can update/add entries and make the API call to save the
data bag item.

So if the simple shared secret approach that encrypted data bags provides
will work for you, I think you can teach your recipes to updates encrypted
data bags.


#9

That blog post an ancient and isn’t even the Chef encrypted data bags. It
was John’s approach before encrypted data bags were made.

http://docs.opscode.com/essentials_data_bags_encrypt.html

Cheers,

AJ

On 7 January 2013 23:44, Philippe Bérard philippe.berard@jalios.com wrote:

Hello Seth and thanks for your answer,

I’ve tried, maybe the wrong way, to write to encrypted databags, with no
success.

I’ll follow the instructions found here
(
http://lusislog.blogspot.fr/2011/01/chef-and-encrypted-data-bags-revisted.h
tml) , though, and publish my findings if anyone’s interested.

Regards,

– Philippe Bérard

-----Message d’origine-----
De : Seth Falcon [mailto:seth@opscode.com]
Envoyé : lundi 7 janvier 2013 06:03
À : chef@lists.opscode.com
Objet : [chef] Re: Managing passwords on multiple webapp/users creation

On Jan 4, 2013, at 1:57 AM, Philippe Bérard wrote:

I’ve tried to use encrypted databags but this kind of databag can’t be
written by a recipe, only read.

I’m not sure that’s true. Encrypted data bags are regular data bags that
the
client treats specially to decrypt with a shared secret. If you have the
shared secret, you can update/add entries and make the API call to save the
data bag item.

So if the simple shared secret approach that encrypted data bags provides
will work for you, I think you can teach your recipes to updates encrypted
data bags.


#10

OK, thanks AJ for pointing this out. Still no clue for writing to encrypted databags, though, I’ll see if there’s any chance to have a working Chef::EncryptedDataBagItem.save

Regards,

– Philippe Bérard

De : AJ Christensen [mailto:aj@junglist.gen.nz]
Envoyé : lundi 7 janvier 2013 11:46
À : chef@lists.opscode.com
Objet : [chef] Re: RE: Re: Managing passwords on multiple webapp/users creation

That blog post an ancient and isn’t even the Chef encrypted data bags. It was John’s approach before encrypted data bags were made.

http://docs.opscode.com/essentials_data_bags_encrypt.html

Cheers,

AJ

On 7 January 2013 23:44, Philippe Bérard philippe.berard@jalios.com wrote:

Hello Seth and thanks for your answer,

I’ve tried, maybe the wrong way, to write to encrypted databags, with no
success.

I’ll follow the instructions found here
(http://lusislog.blogspot.fr/2011/01/chef-and-encrypted-data-bags-revisted.h http://lusislog.blogspot.fr/2011/01/chef-and-encrypted-data-bags-revisted.html
tml) , though, and publish my findings if anyone’s interested.

Regards,

– Philippe Bérard

-----Message d’origine-----
De : Seth Falcon [mailto:seth@opscode.com]
Envoyé : lundi 7 janvier 2013 06:03
À : chef@lists.opscode.com
Objet : [chef] Re: Managing passwords on multiple webapp/users creation

On Jan 4, 2013, at 1:57 AM, Philippe Bérard wrote:

I’ve tried to use encrypted databags but this kind of databag can’t be
written by a recipe, only read.

I’m not sure that’s true. Encrypted data bags are regular data bags that the
client treats specially to decrypt with a shared secret. If you have the
shared secret, you can update/add entries and make the API call to save the
data bag item.

So if the simple shared secret approach that encrypted data bags provides
will work for you, I think you can teach your recipes to updates encrypted
data bags.


#11

The following link discusses databag editing from within a recipe. Be aware
that it does come with two warnings.

  1. Unexpected data loss if multiple nodes edit the same databag.
  2. Open source chef requires the node’s API client to have admin rights.

http://docs.opscode.com/essentials_data_bags_use_recipe.html#creating-and-editing-data-bag-within-a-recipe
On Jan 7, 2013 8:26 AM, “Philippe Bérard” philippe.berard@jalios.com
wrote:

OK, thanks AJ for pointing this out. Still no clue for writing to encrypted databags, though, I’ll see if there’s any chance to have a working Chef::EncryptedDataBagItem.save****


Regards,****


– Philippe Bérard****


De : AJ Christensen [mailto:aj@junglist.gen.nz]
Envoyé : lundi 7 janvier 2013 11:46
À : chef@lists.opscode.com
Objet : [chef] Re: RE: Re: Managing passwords on multiple webapp/users
creation****


That blog post an ancient and isn’t even the Chef encrypted data bags. It
was John’s approach before encrypted data bags were made.****


http://docs.opscode.com/essentials_data_bags_encrypt.html****


Cheers,****


AJ****


On 7 January 2013 23:44, Philippe Bérard philippe.berard@jalios.com
wrote:****

Hello Seth and thanks for your answer,

I’ve tried, maybe the wrong way, to write to encrypted databags, with no
success.

I’ll follow the instructions found here
(
http://lusislog.blogspot.fr/2011/01/chef-and-encrypted-data-bags-revisted.h
tml) , though, and publish my findings if anyone’s interested.

Regards,

– Philippe Bérard

-----Message d’origine-----
De : Seth Falcon [mailto:seth@opscode.com]
Envoyé : lundi 7 janvier 2013 06:03
À : chef@lists.opscode.com
Objet : [chef] Re: Managing passwords on multiple webapp/users creation***
*

On Jan 4, 2013, at 1:57 AM, Philippe Bérard wrote:

I’ve tried to use encrypted databags but this kind of databag can’t be
written by a recipe, only read.

I’m not sure that’s true. Encrypted data bags are regular data bags that
the
client treats specially to decrypt with a shared secret. If you have the
shared secret, you can update/add entries and make the API call to save the
data bag item.

So if the simple shared secret approach that encrypted data bags provides
will work for you, I think you can teach your recipes to updates encrypted
data bags.




#12

Yes, I’ve adresses both points to have a robust deployment solution. BTW,
this link doesn’t address writing to an encrypted databag, only a “regular”
one.

Regards,

– Philippe Bérard

De : Jeremiah Snapp [mailto:jeremiah.snapp@gmail.com]
Envoyé : lundi 7 janvier 2013 15:59
À : chef@lists.opscode.com
Objet : [chef] Re: RE: Re: RE: Re: Managing passwords on multiple
webapp/users creation

The following link discusses databag editing from within a recipe. Be aware
that it does come with two warnings.

  1. Unexpected data loss if multiple nodes edit the same databag.
  2. Open source chef requires the node’s API client to have admin rights.

http://docs.opscode.com/essentials_data_bags_use_recipe.html#creating-and-ed
iting-data-bag-within-a-recipe

On Jan 7, 2013 8:26 AM, “Philippe Bérard” philippe.berard@jalios.com
wrote:

OK, thanks AJ for pointing this out. Still no clue for writing to encrypted
databags, though, I’ll see if there’s any chance to have a working
Chef::EncryptedDataBagItem.save

Regards,

– Philippe Bérard

De : AJ Christensen [mailto:aj@junglist.gen.nz]
Envoyé : lundi 7 janvier 2013 11:46
À : chef@lists.opscode.com
Objet : [chef] Re: RE: Re: Managing passwords on multiple webapp/users
creation

That blog post an ancient and isn’t even the Chef encrypted data bags. It
was John’s approach before encrypted data bags were made.

http://docs.opscode.com/essentials_data_bags_encrypt.html

Cheers,

AJ

On 7 January 2013 23:44, Philippe Bérard philippe.berard@jalios.com wrote:

Hello Seth and thanks for your answer,

I’ve tried, maybe the wrong way, to write to encrypted databags, with no
success.

I’ll follow the instructions found here
(http://lusislog.blogspot.fr/2011/01/chef-and-encrypted-data-bags-revisted.h
<http://lusislog.blogspot.fr/2011/01/chef-and-encrypted-data-bags-revisted.h
tml>
tml) , though, and publish my findings if anyone’s interested.

Regards,

– Philippe Bérard

-----Message d’origine-----
De : Seth Falcon [mailto:seth@opscode.com]
Envoyé : lundi 7 janvier 2013 06:03
À : chef@lists.opscode.com
Objet : [chef] Re: Managing passwords on multiple webapp/users creation

On Jan 4, 2013, at 1:57 AM, Philippe Bérard wrote:

I’ve tried to use encrypted databags but this kind of databag can’t be
written by a recipe, only read.

I’m not sure that’s true. Encrypted data bags are regular data bags that the
client treats specially to decrypt with a shared secret. If you have the
shared secret, you can update/add entries and make the API call to save the
data bag item.

So if the simple shared secret approach that encrypted data bags provides
will work for you, I think you can teach your recipes to updates encrypted
data bags.


#13

Hi Philippe,

At the risk of sounding like a broken record (or, worse yet, some kind of
spambot), I think you might actually find something useful in the knife
plugin link I just posted as potentially being useful for Chef 10 -> 11
migration (in which they’re changing the encrypted data bag format).

The code worked in November, although the GitHub version is currently
nerfed so that it doesn’t *actually * push the re-encrypted data bag back
up to the server.

As you can see from the example, an encrypted data bag item is actually
just the payload of a regular data bag item. At least, that’s what it is
in Chef 10…

I hope this helps with your situation. Keep in mind that, if you find
encrypted data bags to be an imperfect solution for your particular
environment, you can implement just about anything else you want by writing
your own resource/provider.

On Mon, Jan 7, 2013 at 7:10 AM, Philippe Bérard
philippe.berard@jalios.comwrote:

Yes, I’ve adresses both points to have a robust deployment solution. BTW,
this link doesn’t address writing to an encrypted databag, only a “regular”
one.****


Regards,****


– Philippe Bérard****


De : Jeremiah Snapp [mailto:jeremiah.snapp@gmail.com]
Envoyé : lundi 7 janvier 2013 15:59
À : chef@lists.opscode.com
Objet : [chef] Re: RE: Re: RE: Re: Managing passwords on multiple
webapp/users creation****


The following link discusses databag editing from within a recipe. Be
aware that it does come with two warnings. ****

  1. Unexpected data loss if multiple nodes edit the same databag.
  2. Open source chef requires the node’s API client to have admin rights. *

http://docs.opscode.com/essentials_data_bags_use_recipe.html#creating-and-editing-data-bag-within-a-recipe


On Jan 7, 2013 8:26 AM, “Philippe Bérard” philippe.berard@jalios.com
wrote:****

OK, thanks AJ for pointing this out. Still no clue for writing to encrypted databags, though, I’ll see if there’s any chance to have a working Chef::EncryptedDataBagItem.save****


Regards,****


– Philippe Bérard****


De : AJ Christensen [mailto:aj@junglist.gen.nz]
Envoyé : lundi 7 janvier 2013 11:46
À : chef@lists.opscode.com
Objet : [chef] Re: RE: Re: Managing passwords on multiple webapp/users
creation****


That blog post an ancient and isn’t even the Chef encrypted data bags. It
was John’s approach before encrypted data bags were made.****


http://docs.opscode.com/essentials_data_bags_encrypt.html****


Cheers,****


AJ****


On 7 January 2013 23:44, Philippe Bérard philippe.berard@jalios.com
wrote:****

Hello Seth and thanks for your answer,

I’ve tried, maybe the wrong way, to write to encrypted databags, with no
success.

I’ll follow the instructions found here
(
http://lusislog.blogspot.fr/2011/01/chef-and-encrypted-data-bags-revisted.h
tml) , though, and publish my findings if anyone’s interested.

Regards,

– Philippe Bérard

-----Message d’origine-----
De : Seth Falcon [mailto:seth@opscode.com]
Envoyé : lundi 7 janvier 2013 06:03
À : chef@lists.opscode.com
Objet : [chef] Re: Managing passwords on multiple webapp/users creation***
*

On Jan 4, 2013, at 1:57 AM, Philippe Bérard wrote:

I’ve tried to use encrypted databags but this kind of databag can’t be
written by a recipe, only read.

I’m not sure that’s true. Encrypted data bags are regular data bags that
the
client treats specially to decrypt with a shared secret. If you have the
shared secret, you can update/add entries and make the API call to save the
data bag item.

So if the simple shared secret approach that encrypted data bags provides
will work for you, I think you can teach your recipes to updates encrypted
data bags.