I am no longer maintaining this puppet module as I have started working with Chef Ansible instead. I don't have an Chef Ansible version of this module at this time though, and I may never make one since this isn't the best way to manage access to servers.
I will still accept pull requests against this module if improvements are made to it though.
This puppet module will generate secure root passwords based on a seed string and the FQDN of the machine for easy lookup later.
- 1) php5-cli to run PHP script for the custom Facter fact (Module will install this)
- 2) whois package for the mkpasswd command in order to hash the passwords properly (Module will install this)
- 3) Puppet version 3.7.3 or later (Test on 3.7.3 only)
- 4) Ubuntu 12.04 or later (Tested on 14.04 only)
- 1) Check the git repo out to a module directory named "securerootpassword"
- 2) Add the module to your Hiera data
- 2a) Optionally you can override the password with the Hiera variable securerootpassword:rootpassword encrypted as a shadow file compatible password
Doing this ignores the seed string all together even if that is defined.
The PHP script doing the work is using the core code based on https://github.com/ahrenstein/SecurePassGenWeb so as long as you know the seed, you can deploy that website and lookup your passwords.
- 1) The seed string is modified with a Hiera variable but in order for the script to work it is stored in /autotools/seed.txt with root:root 600 permissions
THIS MEANS ANYONE WITH ROOT ACCESS TO A MANAGED SYSTEM CAN GET THE SEED FOR EVERY OTHER SYSTEM IN THAT HIERA GROUPING - 2) In theory if there is a way to grab the Hiera data assigned to your machine from the command line as a non-root user then someone could get the seed string and gain root on all nodes in that Hiera grouping.
- 3) If the seed string is not declared in Hiera, then a default string is used. This is essentially the same as a default password. CHANGE IT!
Due to the current security issues above, this module is only useful in organizations where DevOps/Admin/etc team is the only group with root on systems. This is unfortunately due to limitations with puppet 3.7.3 (latest as of last commit) If the situation improves I will make the module more secure.