Puppet – Managing Service Passwords Securely

authenticationpasswordpassword-managementpuppetSecurity

I'm setting up my Bacula configuration in Puppet. One thing I want to do is ensure that each password field is different. My current thought is to hash the hostname with a secret value that would ensure each file daemon has a unique password and that password can be written to both the director configuration and the file server. I definitely don't want to use one universal password as that would permit anybody who might compromise one machine to get access to any machine through Bacula.

Is there another way to do this other than using a hash function to generate the passwords?

Clarification:

This is NOT about user accounts for services. This is about the authentication tokens (to use another term) in the client / server files. Example snippet:

Director {                            # define myself
  Name = <%= hostname $>-dir
  QueryFile = "/etc/bacula/scripts/query.sql"
  WorkingDirectory = "/var/lib/bacula"
  PidDirectory = "/var/run/bacula"
  Maximum Concurrent Jobs = 3
  Password = "<%= somePasswordFunction =>"         # Console password
  Messages = Daemon
}

Best Answer

I'm quite pleased with my solution to this. It's a shell script called by generate() function from puppet manifest. Password for each host is generated and stored in simple file as needed.

#!/bin/bash
# /etc/puppet/helpers/bacula/getpwd

if [ "$#" -ne 1 ]; then
    echo "Usage: $0 <pwd_name>"
    exit 1
fi

if [ ! -x /usr/bin/pwgen ]; then
    echo "missing pwgen!" >&2
    exit 1
fi

workdir="/etc/puppet/helpers/bacula/"
workfile="$workdir/passwd"
[ ! -r $workfile ] && exit 2
get_name="$1"

# get password from storage
pwd=$(awk -F: -v name="$get_name" '
BEGIN      { r = "NOTFOUND" }
name == $1 { r = $2         }
END        { printf "%s", r }
' "$workfile")

if [ "$pwd" = "NOTFOUND" ]; then
    # generate new password & store it
    len=$((60 + $RANDOM % 9 ))
    pwd=$(/usr/bin/pwgen -s $len 1)

    echo "${get_name}:${pwd}" >> $workfile
fi

# echo password (without new line)
echo -n "$pwd"

Install pwgen or another password generation tool, modify workdir variable for your system settings, check password lengths. In template file call it:

Password = <%= scope.function_generate("/etc/puppet/helpers/bacula/getpwd", bacula_dirname) %>

Puppet variable bacula_dirname should be based on hostname or set from extlookup() e.g.:

$bacula_dirname = "${hostname}-dir"
Related Topic