Ask Your Question
0

Forcing user to change his unix login password

asked 2016-03-17 03:22:34 -0500

queszama gravatar image

I am using `users' resource to create unix accounts and then set a default password. For this I have written the following manifest .

 node 'node2.example.com','node3.example.com' {
  user {
             'askar':
             ensure  => 'present',
             managehome => 'true',
             comment => 'man Home',
             home    => '/home/askar',
             shell   => '/bin/bash',
             expiry  => '2016-03-22',
             password => '$1$cs1j/t.D$4Q2Ocr0pulyNTUx/',
             password_min_age => '30',
             password_max_age => '60',
          }
        }

It works fine, but I want the user should be forced to change his password at next login. For this I extended the rule with an exec resource to run the following command chage -d 0 askar so that the user is forced to change the password

      exec {
             'chage':
              command => 'chage -d 0 askar'
            }
          }

But this is not working for me. Can you please suggest how can I get a user forced to change his password at next login .

edit retag flag offensive close merge delete

Comments

Does puppet throw an error? Does it say it's running it but you see no change on the system? Just saying "this is not working" doesn't give us any info on why.

lavaman gravatar imagelavaman ( 2016-03-17 13:27:45 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
1

answered 2016-03-18 02:13:51 -0500

updated 2016-03-18 02:15:03 -0500

This isn't going to work for a few reasons, not all of which I will go into.

The main problem is, if you declare a password for the user 'askar', and then expect that user to manually change it as a result of the Exec you have declared, Puppet will change it back again on its next run to whatever you have in password => '$1$cs1j/t.D$4Q2Ocr0pulyNTUx/'.

You could perhaps have the user generate an encrypted password by following a procedure like this.

However, I think this is the wrong approach. I do not consider a user's password to be "configuration"; rather it is server "data", and since Puppet is a configuration management tool, a user's password does not belong in Puppet.

If you're not using or planning to use LDAP to manage your users, I would personally use Mcollective, or even an Ansible playbook, outside of Puppet, to set the initial passwords and run chage.

edit flag offensive delete link more

Comments

Setting path variable just before command under exec section , did the work for me . path => '/usr/bin/',

queszama gravatar imagequeszama ( 2016-03-26 22:20:32 -0500 )edit

Any pointers for mcollective to start with

queszama gravatar imagequeszama ( 2016-03-28 05:21:12 -0500 )edit

You should note carefully what I have said in my answer, because although path may have made the code appear to work, it still won't really work for all the reasons I mentioned, and other reasons I didn't mention. As for Mcollective, best thing is to play with it, ask questions if you're stuck.

Alex Harvey gravatar imageAlex Harvey ( 2016-03-28 05:40:33 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2016-03-17 03:22:34 -0500

Seen: 396 times

Last updated: Mar 18 '16