forked from nickanderson/nickanderson-cfengine-library
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlib_local_user_management.cf
61 lines (54 loc) · 3.24 KB
/
lib_local_user_management.cf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# Get the latest version of this library: https://raw.github.com/nickanderson/nickanderson-cfengine-library/master/lib_local_user_management.cf
# General Usage Guidelines
# all of the bundels in this library adhear to the same variable declaration
# format so as to be easily used together.
#
# Note on password hashes:
# this perl oneliner should generate valid hashed passwords, replace MYPASSWORD
# with your password. Be sure your system supports whatever encryption method
# you choose. Thanks Scott Hunter <[email protected]> for the oneliners.
#
# For sha512: perl -e '@letters = ("A".."Z", "a".."z", "0".."9", "/", "."); $salt = join("", map { $letters[rand@letters]; } (0..85)); print crypt("MYPASSWORD", q[$6$] . $salt) . "\n";'
# For sha256: perl -e '@letters = ("A".."Z", "a".."z", "0".."9", "/", "."); $salt = join("", map { $letters[rand@letters]; } (0..42)); print crypt("MYPASSWORD", q[$5$] . $salt) . "\n";'
# For md5: perl -e '@letters = ("A".."Z", "a".."z", "0".."9", "/", "."); $salt = join("", map { $letters[rand@letters]; } (0..21)); print crypt("MYPASSWORD", q[$1$] . $salt) . "\n";'
#
# vars:
# "users[testuser][gecos]" string => "My Test User";
# "users[testuser][uid]" string => "1500";
# "users[testuser][gid]" string => "1500";
# "users[testuser][home]" string => "/home/cmdln/tmp/testuserhome";
# "users[testuser][shell]" string => "/sbin/nologin";
# "users[testuser][passwdhash]" string => "testhash";
bundle agent local_users_enforce_password (users) {
# This bundle enforces a specific hashed password to be set in /etc/shadow
# When the password is changed it also updates the 3rd filed (day last changed)
# Generate Hash: echo "mypassword" | makepasswd --clearfrom=- --crypt-md5 |awk '{ print $2 }'
# Usage:
# vars:
# users[root][passwdhash] string => "$1$EJrfeceC$9y4pFgc6x8p1Fcnfy1rus.";
# methods:
# "any" usebundle => local_users_enforce_password('currentbundlename.users');
#
vars:
linux::
"pwfile" string => "/etc/shadow";
"usersindex" slist => getindices("$(users)");
"days_since_epoch"
string => execresult("/usr/bin/perl -le 'print int time/(60*60*24)'", "noshell"),
comment => "Used for password aging, only needed if the users password is updated, otherwise dont waste time forking a process",
ifvarclass => "set_$(usersindex)_password";
files:
linux::
"$(pwfile)"
comment => "Ensure password is set as expected",
edit_line => set_user_field("$(usersindex)","2","$($(this.users)[$(this.usersindex)][passwdhash])"),
classes => if_repaired("set_$(usersindex)_password");
"$(pwfile)"
comment => "Update date of last password change with todays date expressed in days since epoch if the password is updated",
edit_line => set_user_field("$(usersindex)","3","$(days_since_epoch)"),
ifvarclass => "set_$(usersindex)_password";
reports:
linux.verbose_mode::
"$(usersindex) passwordhash in $(this.pwfile) set",
ifvarclass => "set_$(usersindex)_password";
}