Puppet: System Administration Automated

Support

Ticket #219 (assigned enhancement)

Opened 2 years ago

Last modified 7 months ago

user type could be used to lock account

Reported by: puppet Assigned to: Fujin (accepted)
Priority: low Milestone: unplanned
Component: user Version:
Severity: minor Keywords: user locking
Cc: Triage Stage: Accepted
Attached Patches: None Complexity: Medium

Description

User type could easely add locking capability by using:

ensure => locked

This will password lock the account and synonym for present+lock. This kind of users could only login with sshkey or other non-password means and be sure that it is enforced that way.

This is enforced by

passwd -l login ( on debian at least) pw user mod -h - -n login ( on freebsd )

regards, Ghislain.

Attachments

locking.patch (3.6 kB) - added by jamtur01 on 02/29/08 04:26:26.

Change History

04/05/07 21:43:38 changed by luke

  • specification set to Unnecessary.
  • patch set to None.
  • complexity set to Easy.
  • approval set to Unnecessary.
  • compatibility set to Full.
  • stage set to Accepted.

This should now be pretty straightforward with Provider Features.

04/05/07 21:43:57 changed by luke

  • owner changed from luke to community.

02/28/08 19:16:17 changed by plathrop

Closed #1106 as a duplicate

02/29/08 00:30:01 changed by Fujin

  • status changed from new to assigned.
  • severity changed from normal to minor.
  • priority changed from normal to low.
  • owner changed from community to Fujin.
  • milestone set to elmo.
  • keywords set to user locking.

Have started working on this ticket, see http://git.junglist.gen.nz/?p=puppet.upstream;a=commitdiff;h=14260b8769a45838492ef9a08ebcf2182d4570bd

02/29/08 00:35:05 changed by Fujin

  • milestone changed from elmo to 0.24.3.

Putting this on the backburner till 0.24.2 is out.

02/29/08 04:14:23 changed by Fujin

  • complexity changed from Easy to Medium.

apparently I've overlooked some of the code to make this work - the 'insync' feature - needs to be able to detect what a locked or unlocked account looks like which will require some magical regex. Just updating this so I remember when I look at this again..

02/29/08 04:26:13 changed by happymcplaksin

Maybe you don't need a magic regex if you use 'passwd -s user' to check whether an account is locked? 

On Red Hat it looks like this:
# passwd -S happy                                                                                             
happy PS 2007-09-30 0 99999 7 -1 (Password set, MD5 crypt.)                                                                   
# passwd -S bin                                                                                               
bin LK 2007-09-27 0 99999 7 -1 (Alternate authentication scheme in use.)                                                      

On Debian:
# passwd -S happy
happy P 02/19/2007 0 99999 7 -1                                                                                               
# passwd -S bin                                                                           
bin L 02/03/2006 0 99999 7 -1                                                                                                 

On HP-UX:
# passwd -s happy                                                                                                   
happy  PS    09/04/07    0  0                                                                                                 
# passwd -s bin                                                                                                     
bin  LK                                                                                                                       

Solaris:
# passwd -s happy                                                                                                 
happy     PS                                                                                                                  
# passwd -s bin                                                                                                       
bin       LK

02/29/08 04:26:26 changed by jamtur01

  • attachment locking.patch added.

03/06/08 04:41:59 changed by micah

You can do this already by simply setting the password to '*' (allows for ssh-key logins, but no passwords) or '+' (locked account). These formats might be different on different OS', but it works this way in Debian now.

03/06/08 07:02:01 changed by Fujin

Are you suggesting that instead of having a locking feature for the user type, we simply suggest that the user use the password => field to set '*' or '+'? also '!' = locked too I think (root comes like this in Ubuntu)

03/06/08 19:09:38 changed by micah

I was suggesting this... however now that I think about it more, different systems may not respect this. I dont even know if its a standard or not, so it might make more sense for the locking feature to exist and it does the right thing depending on the system's requirements for locking an account.

03/13/08 20:06:42 changed by luke

  • milestone changed from 0.24.3 to unplanned.

Sounds like the code isn't quite there, and I'm in a hurry to get 0.24.3 out. When you've got the code working, let me know and we can add the ticket to the next release.

04/24/08 07:31:52 changed by luke

  • component changed from types to user.