|
| 1 | +Steve Shipway |
| 2 | +University of Auckland |
| 3 | + |
| 4 | +Version 2.0: Dec 2011 |
| 5 | +Tested with RHEL(5.3,6.2), Ubuntu(Lucid), SecretServer(7.8) |
| 6 | + |
| 7 | +Requires Savon Ruby Gem to be installed on Puppet Master: 'gem install savon' |
| 8 | +This probably means you need RHEL6 since RHEL6 Ruby did not support gems. |
| 9 | + |
| 10 | +Also requires the secretserver.rb module file to be installed in |
| 11 | +/usr/lib/ruby/site_ruby/1.8/secretserver.rb |
| 12 | + |
| 13 | +# PARAMETERS |
| 14 | + |
| 15 | +Set these in the init.pp file |
| 16 | + |
| 17 | + $ss_hostname = 'secretserver.auckland.ac.nz' |
| 18 | + $ss_username = 'puppet' |
| 19 | + $ss_password = 'mypassword' |
| 20 | + $ss_folder = 'Drop-box' |
| 21 | + |
| 22 | +# PASSWORD CLASS |
| 23 | +Change password if older than 30 days, updating secret server (thycotic.com) |
| 24 | +database to reflect changes. |
| 25 | + |
| 26 | +Allows you to have regularly rotating passwords, stored centrally and audited, |
| 27 | +but with noone actually knowing what they are. |
| 28 | + |
| 29 | +This will also change and update if password is not yet defined on SecretSvr |
| 30 | +It will NOT verify that SS record contains the correct password though as |
| 31 | +this is not necessarily possible with various backends |
| 32 | + |
| 33 | +Only users with UID<500 are checked; to change this, edit the facter module |
| 34 | +to set facts for ALL users. (see comments at start of lib/facter/password.rb ) |
| 35 | +Note that ubuntu/debian people may wish to make this threshold <1000 instead. |
| 36 | + |
| 37 | +Facter should set facts: pwage_(.*) for all accounts <500 |
| 38 | + |
| 39 | +To use: |
| 40 | + ss::password { 'root': } |
| 41 | + ss::password { 'oracle': maxage=>60, folder=>'Oracle Passwords' } |
| 42 | + |
| 43 | +Attributes: |
| 44 | + maxage: number of days old a password must be before it gets auto changed |
| 45 | + default is 30 |
| 46 | + folder: which SecretServer folder to place the secret into, if not the |
| 47 | + default |
| 48 | + username: (namevar) username to set password for |
| 49 | + minchange: minimum number of days before password can be changed by user |
| 50 | + default is 0 (may not be supported by your unix) |
| 51 | + |
| 52 | +SecretServer: |
| 53 | + The new password secure is of type 'Unix Account (SSH)' |
| 54 | + The secret name is $username@$fqdn |
| 55 | + |
| 56 | +Assumptions: |
| 57 | + 1. The specified user exists as a Local user with no 2FA rules |
| 58 | + 2. The specified folder exists, is writeable, and defaults to appropriate |
| 59 | + sharing rules |
| 60 | + 3. All passwords for servers are shared with the puppet user |
| 61 | + 4. All newly created passwords will be with 'Unix Account (SSH)' template |
| 62 | + 5. Passwords can be changed via /usr/sbin/chpasswd (install this if it is |
| 63 | + not present). This works for ubuntu, debian, redhat, centos, fedora, |
| 64 | + and solaris (if chpasswd is installed from sunfreeware) |
| 65 | + 6. Password ages are in /etc/shadow in standard format (OK for redhat, |
| 66 | + centos, fedora, ubuntu, debian, solaris) |
| 67 | + 7. Secretserver v7.x API available |
| 68 | + |
| 69 | +Bugs: |
| 70 | + 1. No way to detect noop mode from functions, so secretserver will be |
| 71 | + updated even though the password is not changed on the client. |
| 72 | + |
| 73 | + |
| 74 | +# SSL CERTIFICATE CLASS |
| 75 | +This will synchronise certificate/key files on the client with the certificate |
| 76 | +and key data held in SecretServer. |
| 77 | + |
| 78 | +It will optionally restart Apache after making changes. |
| 79 | + |
| 80 | +Allows you to have certificates stored centrally, and multiple servers using |
| 81 | +the same certificate automatically updated together by puppet. |
| 82 | + |
| 83 | +Should also work with Windows if you have service=>false and specify a |
| 84 | +windows file location with key=> and crt=>, though this is not tested. |
| 85 | + |
| 86 | +To use: |
| 87 | +ss::cert { 'www.auckland.ac.nz': } |
| 88 | +ss::cert { $fqdn: service=>false; } |
| 89 | + |
| 90 | +Attributes: |
| 91 | + key, crt: Specify alternate locations for the files. Default is to put them |
| 92 | + into /etc/httpd/conf/$name.crt and /etc/httpd/conf/$name.key |
| 93 | + service: set to false if you dont want it to restart httpd if cert changes |
| 94 | + ss: set to false if you want it to pull from a file instead of secretserver |
| 95 | + |
| 96 | +SecretServer: |
| 97 | + The certificates MUST be stored in an object with a Certificate template. |
| 98 | + The secret name MUST correspond exactly to the namevar. |
| 99 | + |
| 100 | +Assumptions: |
| 101 | + 1. The puppet master must have read access to the certificate secret |
| 102 | + 2. The files are stored in the correct format. No conversion or validation |
| 103 | + is performed. |
| 104 | + 3. SecretServer API 7.6 or later available |
| 105 | + |
| 106 | +Bugs: |
| 107 | + 1. If you have service=>true (the default) then the definition of the httpd |
| 108 | + service may conflict with something you subsequently define elsewhere. |
| 109 | + |
0 commit comments