[chef] Re: Re: Managing passwords on multiple webapp/users creation

[Lamont Granquist < >]

I suspect he's talking about managing a corporate IT installation where the cost of training users how to use ssh keys is high.  Even in a smallish enterprise of a couple thousand users, its going to be easier to have password-based auth than to try to train the 90% of the userbase that is non-techncial or semi-technical up in the use of ssh keys.  If you've got a limited IT helpdesk staff that is already buckling under the ticket load, then you'll never manage to deploy ssh auth in a way that will make your department look remotely competent.  With a lot of dev work you could probably setup a website that had client-side code that configured the users machine and managed creating their ssh keys and putting a passphrase on them, and then walked them through how to use their passphrase to login to the servers, but there's a chicken-and-egg problem of being able to dig out from under a mess and be able to take the time to write that kind of stuff, and a skills problem in that anyone who could do that will flee from corporate IT support...

On 1/5/13 2:46 AM, Steven De Coeyer wrote:

" type="cite">

Hello Philippe

My reply probably isn't very helpful, as I don't see how you could securely store a password AND make it retrievable. Not unless you decrypt them with a master password or something.. 

BTW, SSH keys wouldn’t be of any help because there are too many persons who would have to integrate these keys on their machines.

Are you looking at this like you should? Users shouldn't have to integrate keys. You shouldn't have to create key pairs that go on the users' machines. The users should give you their public keys which you can put (1 time only) in for example a databag. A key is personal and comes from the user, not from the app.

Kind Regards,

Steven

Op 4-jan.-2013, om 10:57 heeft Philippe Bérard < "> > het volgende geschreven:

Hello everyone,

 

I would like to know if anyone has already managed to deploy multiple users/webapps on servers via CHEF and, therefore, how they’ve managed password generation and storage.

 

I’ve actually written a recipe which creates users and deploy a webapp for each of them, by reading a databag. I’m generating the password during user’s creation and storing the password in the original databag. Of course, this method is completely insecure.

 

I’ve tried to use encrypted databags but this kind of databag can’t be written by a recipe, only read. BTW, SSH keys wouldn’t be of any help because there are too many persons who would have to integrate these keys on their machines.

 

Thanks in advance for any help.

 

Regards,

 

Philippe Bérard Responsable informatique
Tel : +33 (0)1 39 23 31 17 Mob : +33 (0)6 01 27 87 86 Fax : +33 (0)1 39 55 47 56
58, Rue Pottier 78150 Le Chesnay www.jalios.com	<image001.gif>

P Afin de contribuer au respect de l'environnement, merci de n'imprimer ce message qu'en cas de nécessité.