Users created to Ubuntu by Puppet cannot connect by SSH - linux

I am trying to add new user to Ubuntu Server 14.04 with the latest version Puppet.
I use the following code:
user { 'user':
ensure => present,
home => '/home/user',
managehome => true,
password => 'password',
system => true,
shell => '/bin/bash',
require => Group['usergroup'],
}
The user gets created successfully but cannot log in with SSH.
This is what I get when trying to SSH:
user#10.11.11.11's password:
debug3: packet_send2: adding 64 (len 54 padlen 10 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
Problem should not be about allowing users to use SSH because user created with
adduser can log in with SSH without problems. Also all existing user can SSH in.
What could be causing this problem?

the password in puppet should be in encrypted format
for example:
class adminusers {
group { 'mygroup':
ensure => 'present',
gid => '900',
}
user { 'pippo':
ensure => 'present',
gid => '100',
home => '/home/pippo',
shell => '/bin/bash',
uid => '150',
managehome => true,
groups => ['mygroup'],
password => '$1$WhUZgOHI$OerslOWA3aeZfRjemFsvl/',
require => Group['mygroup'],
}
}

Related

Puppet-Passwords as plain text in Windows agent output and in catalog file

I encrypted password using hiera:
dsc_xADUser {'FirstUser':
dsc_ensure => 'present',
dsc_domainname => 'ad.contoso.com',
dsc_username => 'tfl',
dsc_userprincipalname => 'tfl#ad.contoso.com',
dsc_password => {
'user' => 'tfl#ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
dsc_passwordneverexpires => true,
dsc_domainadministratorcredential => {
'user' => 'Administrator#ad.contoso.com',
'password' => Sensitive(lookup('password'))
},
}
but on node,when running agent -t -v password is shown as plain text in agent output and in catalog JSON file.
I also tried node_encrypt(lookup('password')) then getting content of my encrypted password (which is good) and windows complains that password doesn't meet password complexity (bad-because it's trying to set all below as password)
'password' = '-----BEGIN PKCS7-----
MIIMyQYJKoZIhvcNAQcDoIIMujCCDLYCAQAxggKdMIICmQIBADCBgjB9MXsweQYD
VQQDDHJQdXBwZXQgRW50ZXJwcmlzZSBDQSBnZW5lcmF0ZWQgb24gbXlwdXBwZXQt
eGwwZGJ5a212Z2xrYnl2eS5ldS13ZXN0LTEub3Bzd29ya3MtY20uaW8gYXQgKzIw
MTgtMTEtMDIgMTQ6MDQ6MDAgKzAwMDACAQUwCwYJKoZIhvcNAQEBBIICABkJDfGb
4CdHUntrVR1E......
hiera config:
---
version: 5
defaults:
datadir: data
data_hash: yaml_data
hierarchy:
- name: "Eyaml hierarchy"
lookup_key: eyaml_lookup_key # eyaml backend
paths:
- "nodes/%{trusted.certname}.yaml"
- "windowspass.eyaml"
options:
pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"
pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"
EDIT: just found this, it seems it's opened issue and related to Windows only
UPDATE: i managed to configure puppet not to cache catalog file on Windows client (adding catalog_cache_terminus="" to puppet config file on windows so i'll use this as "workaround", it seems no way to remove passwords from agent debug output

curl: (35) Encountered end of file puppet

I am using puppet-archive https://github.com/voxpupuli/puppet-archive to download jar from nexus repository.
/puppetmaster-devteam-starter_kit/control-repo/site/role/manifests/getnexusjar.pp
class role::getnexusjar {
include profile::getjarfromnexus
}
/puppetmaster-devteam-starter_kit/control-repo/site/profile/manifests/getjarfromnexus.pp
class profile::getjarfromnexus {
include '::archive'
$test_jar_dir = [ '/home/test/', '/home/test/jar/', ]
file { $test_jar_dir:
ensure => 'directory',
owner => 'root',
group => 'wheel',
mode => '0750',
}
archive::nexus { '/home/test/jar/test-fileprocess-workflow-1.0.0.jar':
ensure => present,
extract_path => '/home/test/jar',
url => 'https://nexus.testmonitoring.com/repository/test-repo/com/test/fileprocess/test-fileprocess-workflow/1.0.0/test-fileprocess-workflow-1.0.0.jar',
username => "testuser",
password => "asdfghfgh",
gav => 'com.test.fileprocess:test-fileprocess-workflow:1.0.0',
repository => 'test-repo',
packaging => 'jar',
extract => false,
}
}
Error:
Execution of '/usr/bin/curl https://nexus.testmonitoring.com/repository/test-repo/com/test/file/test-fileprocess-workflow/1.0.0/test-fileprocess-workflow-1.0.0.jar/service/local/artifact/maven/content?g=com.test.file&a=test-fileprocess-workflow&v=1.0.0&r=test-repo&p=jar -o /tmp/test-fileprocess-workflow-1.0.0.jar_20180118-30748-1j50ff9 -fsSL --max-redirs 5 --user testuser:asdfghfgh’ returned 35: curl: (35) Encountered end of file

puppet not able to run shell script from master to client

I am new to puppet. I want to run a shell script call crfs.sh located under /myscripts on a RHEL linux puppet master server.
How do I execute this script on a client or target server?
What you want can be solved using the file and the exec modules of puppet.
class mymodule::myclass {
file { 'my_bash_script':
ensure => 'file',
source => 'puppet:///modules/mymodule/my_bash_script.sh',
path => '/usr/local/bin/my_bash_script.sh',
owner => 'root'
group => 'root'
mode => '0744', # Use 0700 if it is sensitive
notify => Exec['run_my_script'],
}
exec { 'run_my_script':
command => '/usr/local/bin/my_bash_script.sh',
refreshonly => true,
}
}

Basic Puppet manifest dependency/syntax issue

I am not sure what I am doing wrong and the examples I have googled seem to suggest this is allowed (I basically copied/pasted).
#
# Configure MySQL
#
package { 'mysql-server':
ensure => installed,
}
service { 'mysql':
ensure => running,
enable => true
}
exec { 'set-mysql-password':
unless => 'mysqladmin -uroot -proot status',
command => "mysqladmin -uroot password ALEXWASHERE",
path => ['/bin', '/usr/bin'],
require => Service['mysql'];
}
#mysql:db { 'apps':
# user => 'aerospace_erp',
# password => 'ALEXWASHERE',
# host => 'localhost',
# grant => ['SHOW VIEW', 'SELECT', 'UPDATE', 'INSERT', 'DELETE']
#}
This results in the following errors:
==> default: Error: /Stage[main]/Main/Service[mysql]: Could not evaluate: Could not find init script for 'mysql'
==> default: Notice: /Stage[main]/Main/Package[mysql-server]/ensure: ensure changed 'purged' to 'present'
==> default: Notice: /Stage[main]/Main/Exec[set-mysql-password]: Dependency Service[mysql] has failures: true
==> default: Warning: /Stage[main]/Main/Exec[set-mysql-password]: Skipping because of failed dependencies
Not sure whats going on???
Alex
In Linux OS,
service is mysqld not mysql
service { "mysqld" : ensure => running,}

enabling fastcgi mod in lighttpd through puppet

Hi guys am new to puppet and I want to execute the following command on client using puppet so that the fast cgi mod is enabled on the puppet client.
lighttpd-enable-mod fastcgi
Both puppet server and client are ubuntu machines and my lighttpd module's init.pp file is as follows:
class lighttpd::install {
package { "lighttpd":
ensure => present,
}
}
class lighttpd::conf {
file { "/etc/lighttpd/lighttpd.conf":
ensure => present,
owner => 'root',
group => 'root',
mode => 0600,
source => "puppet:///modules/lighttpd/lighttpd.conf",
require => Class["lighttpd::install"],
}
}
class lighttpd::fastcgi {
file { "/etc/lighttpd/conf-available/10-fastcgi.conf":
ensure => present,
owner => 'root',
group => 'root',
mode => 0600,
source => "puppet:///modules/lighttpd/10-fastcgi.conf",
require => Class["lighttpd::install"],
}
}
class lighttpd {
include lighttpd::install, lighttpd::conf, lighttpd::fastcgi
}
Please help me execute this command on the puppet client.
Thanks
So if you modify your lighttpd::fastcgi class to be something like:
class lighttpd::fastcgi {
file { "/etc/lighttpd/conf-available/10-fastcgi.conf":
ensure => present,
owner => 'root',
group => 'root',
mode => 0600,
source => "puppet:///modules/lighttpd/10-fastcgi.conf",
require => Class["lighttpd::install"],
notify => Exec["enable-mod-fastcgi"],
}
exec { "enable-mod-fastcgi":
command => "/usr/bin/lighttpd-enable-mod fastcgi",
refreshonly => true,
}
}
(sorry - the path may be wrong to lighttpd-enable-mod - I don't have lighttpd here).
This should notify the 'exec' correctly. The exec will only get called when notified because of the 'refreshonly' parameter being true.

Resources