Ask Your Question
0

Puppet Enterprise-encrypt/hide password from agent output

asked 2018-11-05 05:57:44 -0600

dragan979 gravatar image

updated 2018-11-06 08:23:00 -0600

I encrypted password using hiera:

dsc_xADUser {'FirstUser':

            dsc_ensure => 'present',
            dsc_domainname => 'ad.contoso.com',
            dsc_username   => 'tfl',
            dsc_userprincipalname => 'tfl@ad.contoso.com',
            dsc_password   => {
            'user' => 'tfl@ad.contoso.com',
            'password' => Sensitive(lookup('password'))
            },
            dsc_passwordneverexpires => true,
            dsc_domainadministratorcredential => {
            'user'  => 'Administrator@ad.contoso.com',
            'password' => Sensitive(lookup('password'))
            },

        }

but on node,when running agent -t -v password is shown as plain text.

I also tried node_encrypt(lookup('password'))-https://forge.puppet.com/binford2k/node_encrypt then getting content of my encrypted password and windows complains that password doesn't meet password complexity (because it's trying to set all below as password)

 'password' = '-----BEGIN PKCS7-----
    MIIMyQYJKoZIhvcNAQcDoIIMujCCDLYCAQAxggKdMIICmQIBADCBgjB9MXsweQYD
    VQQDDHJQdXBwZXQgRW50ZXJwcmlzZSBDQSBnZW5lcmF0ZWQgb24gbXlwdXBwZXQt
    eGwwZGJ5a212Z2xrYnl2eS5ldS13ZXN0LTEub3Bzd29ya3MtY20uaW8gYXQgKzIw
    MTgtMTEtMDIgMTQ6MDQ6MDAgKzAwMDACAQUwCwYJKoZIhvcNAQEBBIICABkJDfGb
    4CdHUntrVR1E......

From documentation regarding Sensitive:

In future implementations, this info might be encrypted, removing access to the original data with this method, but it currently is not and therefore you should only use it as an aid for logs and reports.

I'm seeing plain text password in json manifest file and in agent output

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-11-06 07:33:51 -0600

DarylW gravatar image

updated 2018-11-06 07:35:21 -0600

What version of puppet are you using? Have you tried the built in Data Type Sensitive?

From Puppet 4.6 you can obscure these secret values by wrapping them with the Sensitive type. This helps protect from unintentional exposure while still allowing their use in resources.

https://www.puppetcookbook.com/posts/...

https://puppet.com/docs/puppet/5.3/la...

edit flag offensive delete link more

Comments

Thanks for respone, i'm using puppet enterprise 2018.1.0.54 puppet version:5.5.2 if you look closely on my code, i'm already using Sensitive but still, catalog file as well as agent debug output show plain text password

dragan979 gravatar imagedragan979 ( 2018-11-06 08:17:54 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-11-05 05:57:44 -0600

Seen: 40 times

Last updated: Nov 06