Puppet: System Administration Automated

Support

Ticket #1025 (new enhancement)

Opened 8 months ago

Last modified 5 months ago

Directory Service Provider: Password Setting is Looping

Reported by: mccune Assigned to: mccune
Priority: normal Milestone: unplanned
Component: Darwin Version:
Severity: normal Keywords: directoryservice, mac, osx, apple, password
Cc: Triage Stage: Accepted
Attached Patches: None Complexity: Medium

Description

The directory service provider currently cannot properly check if a password is set for a local account.

I'd like to add a number enhancements related to user passwords:

  • Use the dirt system command to check the cleartext password.
  • Make sure dirt does not have the cleartext passphrase in the process table. We might leverage ruby's expect module and popen3, though finding out the exit status of the process is not clear to me using this method.
  • Check and set the shadow hash directly.
  • Mac OS X defaults to Salted SHA passwords in /var/db/shadow/hash files named after the GUID.
  • We might simply embed {SSHA}XXXXXXXXX...X strings directly into a Directory Service? attribute of the user account.

Change History

01/22/08 04:55:21 changed by mccune

Reference: #1024 (Directory Service Provider? patch ticket)

01/22/08 04:56:03 changed by mccune

  • owner changed from community to mccune.
  • complexity changed from Unknown to Medium.
  • type changed from defect to enhancement.

(follow-up: ↓ 4 ) 01/22/08 05:26:59 changed by dhaveconfig

One extra caveat to be aware of is Mobile Accounts, which don't use the GUID, but instead are named after the relevant short username. We could choose to not manage these, or we could choose to go against Apple's GUI/DirectoryService API methodology and allow local setting of the password regardless of whether the account is Mobile or a "true" local one.

I think my preference is towards setting hashes not actual passwords, but about to go browsing through how things work on other platforms.

(in reply to: ↑ 3 ) 01/23/08 21:27:25 changed by dhaveconfig

ok, so I think my preference would be that we don't manage any Lanman hash at all, and in fact Puppet doesn't necessarily manage the entire shadow hash file on OS X, but it can.

so you can specify 000000000...ACTUALHASH00000000.... if you want to manage the whole file, or if you just put in the hash itself, Puppet only manages that section of the file, leaving alone any other hashes that Apple decide to stick in that file.

02/05/08 07:25:10 changed by luke

  • stage changed from Unreviewed to Accepted.
  • milestone set to unplanned.

I'm assuming you'll take care of his, Jeff, so I'll just pass it through.

04/24/08 08:04:35 changed by luke

  • component changed from library to Darwin.