Managing service passwords with Puppet
Posted
by
Jeff Ferland
on Server Fault
See other posts from Server Fault
or by Jeff Ferland
Published on 2012-01-24T16:49:51Z
Indexed on
2012/04/03
23:31 UTC
Read the original article
Hit count: 239
I'm setting up my Bacula configuration in Puppet. One thing I want to do is ensure that each password field is different. My current thought is to hash the hostname with a secret value that would ensure each file daemon has a unique password and that password can be written to both the director configuration and the file server. I definitely don't want to use one universal password as that would permit anybody who might compromise one machine to get access to any machine through Bacula.
Is there another way to do this other than using a hash function to generate the passwords?
Clarification:
This is NOT about user accounts for services. This is about the authentication tokens (to use another term) in the client / server files. Example snippet:
Director { # define myself
Name = <%= hostname $>-dir
QueryFile = "/etc/bacula/scripts/query.sql"
WorkingDirectory = "/var/lib/bacula"
PidDirectory = "/var/run/bacula"
Maximum Concurrent Jobs = 3
Password = "<%= somePasswordFunction =>" # Console password
Messages = Daemon
}
© Server Fault or respective owner