Managing service passwords with Puppet

Posted by Jeff Ferland on Server Fault See other posts from Server Fault or by Jeff Ferland
Published on 2012-01-24T16:49:51Z Indexed on 2012/04/03 23:31 UTC
Read the original article Hit count: 244

I'm setting up my Bacula configuration in Puppet. One thing I want to do is ensure that each password field is different. My current thought is to hash the hostname with a secret value that would ensure each file daemon has a unique password and that password can be written to both the director configuration and the file server. I definitely don't want to use one universal password as that would permit anybody who might compromise one machine to get access to any machine through Bacula.

Is there another way to do this other than using a hash function to generate the passwords?

Clarification:

This is NOT about user accounts for services. This is about the authentication tokens (to use another term) in the client / server files. Example snippet:

Director {                            # define myself
  Name = <%= hostname $>-dir
  QueryFile = "/etc/bacula/scripts/query.sql"
  WorkingDirectory = "/var/lib/bacula"
  PidDirectory = "/var/run/bacula"
  Maximum Concurrent Jobs = 3
  Password = "<%= somePasswordFunction =>"         # Console password
  Messages = Daemon
}

© Server Fault or respective owner

Related posts about security

Related posts about authentication