Is it possible to use puppet to auto create user accounts in Active Directory? The idea being that puppet could regularly process a text file?
or is this really something much better handled outside of puppet using a PowerShell script?
i'd be keen to know your thoughts on this.
Is it possible to use puppet to auto create user accounts in Active Directory? The idea being that puppet could regularly process a text file?
Puppet's User resource type has a provider for managing local users on Windows machines, but to the best of my knowledge, it does not manage AD users. Even if it did, however, "regularly process[ing] a text file" for this purpose is somewhat at odds with the Puppet idiom, and probably would not rely on User resources anyway.
or is this really something much better handled outside of puppet using a PowerShell script?
If you can do it by running a PowerShell script on a machine under Puppet management, then you can have Puppet do that for you. With that said, I'm not too keen on the general idea, whether mediated by Puppet or not. There is a bit too much separation for me between the decision to add a user and the fulfillment. I would rather see either Puppet (or some other software) managing users in much more detail, or no automation of new-user creation at all.
Related
I have a bunch of TeamCity agents (Windows, Linux, AWS, OpenShift). To have consistent state it is desirable that all of them have the same software+version installed. Manually checking them is very tedious
Hence I have decided to have an application which shows this information as a dashboard, i.e. a snapshot view of all the agents and the software installed on them. I have decided to use Python(v3.6) for the implementation. I am not a hardcore developer hence this will be learn and do project for me.
I was thinking of some sort of a code-base on all agents that would fetch the necessary details for that agent only.
I will then have a central server that will utilize this data from each agent and then display it in the form of a dashboard.
Please let me know if the above design is the proper way of doing it or please suggest some alternate if any.
If I can have some pointers as how to go about implementing it that would be of great help.
If you have full control over the agents' machines, consider using Ansible to enforce the desired configurations. In general it is much more convenient an safe to control agents' configurations rather than ask them if they have proper ones. And with Ansible or similar configuration management tool you can do this in a scalable way.
I am trying to allow ssh users to be defined in Radius, but share a home directory, shell, etc. The idea is that all users share the same home directory and default shell (an application). I would like to avoid creating numerous accounts on the local machine (really a docker container) since their activity is constrained by the application. I think that I just need to replace the user database information, but I don't understand how to just override that part of the login activity. Has anyone else done this or should I be solving this a different way?
Ok, I am going to answer my own question. If you have better information, please contribute. This question might have been better in ServerFault, but as a programmer I spend more time on StackOverflow so I did not think of that.
The PAM library is useful for single sign-on, but it cannot replace the /etc/passwd file and related files. PAM and the other assets it brings in supplement the internal Linux info. So, while you can authenticate with a remote server like Radius, you will still have entries in /etc/passwd. The control flow is a list of rules in pam.conf and the top-level library works its way down the list letting each module (plug-in) do its work. Read 'man pam.conf' and 'man pam_mkhomedir' for good information on how this works.
A module implements 6 functions so it is very approachable to add new modules. See pam_deny.c for the simplest module.
Also, getpwnam is a function you may need in whatever it is you are trying to do. You can read about that using 'man getpwnam', but you probably already knew that.
I have a special user, called udpate, whose shell is a special command that fetches any pending updates to our system.
I'd like to be able to open an ssh session with this user without any kind of authentication (password or ppk, or anything), so if anyone wants to update a system, they could do "ssh update#<>", without having to know a password, or have a pre-shared public key on the box.
Insecure, I know, but this is over a VPN, so it should not be a problem, and they will only run the update, and then be thrown out.
Can this be done?
VPN is not a good reason to avoid authentification when using ssh. Even if there is a way to do this, you shouldn't use it. Use a ssh-key is the best way to do it. If you really want to do thing like this, use the same key and distribute it on each box.
What did you do if the local network of your box is compromised ? You just have a security hole.
as this rfc points out, there is support for host based authentication https://www.ietf.org/rfc/rfc4252.txt
So using it carefully should be possible by following this tutorial https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication#Server_Configuration_for_host-based_authentication.
That may not be a final solution, but helping finding one.
But really, you should not do it for this usecase... Just offer a basic web endpoint which does only start the update process on the next cron run. I know, its not so "simple" but its a lot more secure.
Or if they have access to this server anyway, add a script with super user bit set which triggers the update.
Also, if you have a central server in your company, where everyone has access too, you can use this as step in between to host the key pair, so you dont need to manage X keys for everyone.
Or you use a more modern setup with puppet or anything, or you just configure the server to always update without user interaction needed....
While my understanding is that using environment variables for configuring applications in different deployment environments is best practice, I don't know of a good method for managing these environments and populating the variables in them.
Here are the approaches I'm considering:
Populating them in the Upstart script we use to run our app. We use Ansible to provision our servers which currently copies over a static upstart scrip, however this could be templated with environment variables.
Same approach but with /etc/environment
Using something like envdir and once again using ansible to populate the files.
The other issue is where to store the values, I'm thinking redis, but am open to suggestion. Ansible has a "Vault" that I'm yet to look at which may be an option.
The values are things like API keys and database urls.
I'm really just wondering what approaches other people use. I'm open to all suggestions.
I think this question is going to solicit a lot of opinions, and probably a lot of conflicting opinions, but with that said here's some of my opinions:
/etc/environment is part of the OS and intended for configuration of interactive user shells. Don't use it for applications.
A templatized upstart config via ansible seems pretty reasonable to me. Just ensure the filesystem permissions are suitably locked-down to root read only if you intend to store sensitive data there.
You could also use a templatized application-specific config file such as /etc/myapp/config which has worked pretty well for many programs for a few decades. The whole environment-variables-are-better-than-config files position is really coming more from a PaaS perspective (heroku I believed popularized this approach by way of their 12-factor app site). So if you're deployment is PaaS or PaaS-style, envirnoment is convenient. But if you are installing your app on your own servers via Ansible, IMHO a straight-up config file is simpler to troubleshoot for the reasons I outline in my blog post environment variables considered harmful
Some users are suggesting that my (C#) program should be able to run scripts after completing it's job. This would be done through a command line to be input in my configuration dialog.
I'm no security expert, so I'm not sure if this acceptable in terms of security. Since the app runs with admin privileges (on Windows), wouldn't that be a huge security risk? Someone could just modify the config files of my application to point to a potentially dangerous script, couldn't they?
On the other hand, plenty of applications allow this, while requesting admin privileges, so I guess it must be ok, but I thought I'd better seek advice before opening wide security holes everywhere =)
Can I allow my application running with full privileges to launch user-specified scripts?
You can restrict access to your config in different ways - from obfuscating the config file to using NTFS permissions to limit access of non-admin accounts to it.
C# certainly allows you to run a user script. System.Diagnostics.Process makes that real easy. The question of security here is another problem.
Running scripts when a process completes can be an incredibly useful and can make or break your target audience's opinion of your application. Understandably, you don't want your product to be turned against your own consumers through a malicious hack like you're thinking.
The root of this problem is that your options are (I'm assuming) text based and easily editable. Your best bet is to encrypt your config file to prevent outside changes to it. Note that this doesn't prevent people from using your app to change your options to allow a malicious script, but for somebody to do that, they need access to an instance of your application instead of simply file read/write access.
This does bring to question one more aspect you should watch for. Don't use the same key for every installation of your application. If you do that, then Bob could cause Alice to run a malicious script by copying Alice's config, using his instance of your app to decrypt it and make the change and then Bob can replace Alice's config with the new malicious config.
Here is another SO question for how to encrypt strings in C#.