I suspect he's talking about managing a corporate IT installation where
the cost of training users how to use ssh keys is high. Even in a
smallish enterprise of a couple thousand users, its going to be easier
to have password-based auth than to try to train the 90% of the
userbase that is non-techncial or semi-technical up in the use of ssh
keys. If you've got a limited IT helpdesk staff that is already
buckling under the ticket load, then you'll never manage to deploy ssh
auth in a way that will make your department look remotely competent.
With a lot of dev work you could probably setup a website that had
client-side code that configured the users machine and managed creating
their ssh keys and putting a passphrase on them, and then walked them
through how to use their passphrase to login to the servers, but
there's a chicken-and-egg problem of being able to dig out from under a
mess and be able to take the time to write that kind of stuff, and a
skills problem in that anyone who could do that will flee from
corporate IT support...
On 1/5/13 2:46 AM, Steven De Coeyer wrote:
Hello Philippe
My reply probably isn't very helpful, as I don't see how you could securely store a password AND make it retrievable. Not unless you decrypt them with a master password or something..
BTW, SSH keys wouldn't be of any help because there are too many persons who would have to integrate these keys on their machines.
Are you looking at this like you should? Users shouldn't have to integrate keys. You shouldn't have to create key pairs that go on the users' machines. The users should give you their public keys which you can put (1 time only) in for example a databag. A key is personal and comes from the user, not from the app.
Kind Regards,
Steven
Op 4-jan.-2013, om 10:57 heeft Philippe Bérard < <mailto: >> het volgende geschreven:
Hello everyone,
I would like to know if anyone has already managed to deploy multiple users/webapps on servers via CHEF and, therefore, how they've managed password generation and storage.
I've actually written a recipe which creates users and deploy a webapp for each of them, by reading a databag. I'm generating the password during user's creation and storing the password in the original databag. Of course, this method is completely insecure.
I've tried to use encrypted databags but this kind of databag can't be written by a recipe, only read. BTW, SSH keys wouldn't be of any help because there are too many persons who would have to integrate these keys on their machines.
Thanks in advance for any help.
Regards,
*Philippe Bérard*
Responsable informatique
Tel : +33 (0)1 39 23 31 17
Mob : +33 (0)6 01 27 87 86
Fax : +33 (0)1 39 55 47 56
58, Rue Pottier
78150 Le Chesnay
www.jalios.com <http://www.jalios.com>
<image001.gif>
PAfin de contribuer au respect de l'environnement, merci de n'imprimer ce message qu'en cas de nécessité.
Archive powered by MHonArc 2.6.16.