The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Feature #219

user type could be used to lock account

Added by Redmine Admin over 9 years ago. Updated over 2 years ago.

Status:RejectedStart date:
Priority:LowDue date:
Assignee:-% Done:

0%

Category:user
Target version:-
Affected Puppet version: Branch:
Keywords:communitypatch

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

User type could easely add locking capability by using:

ensure => locked

This will password lock the account and synonym for present+lock. This kind of users could only login with sshkey or other non-password means and be sure that it is enforced that way.

This is enforced by

passwd -l login ( on debian at least) pw user mod -h – -n login ( on freebsd )

regards, Ghislain.

locking.patch Magnifier (3.62 KB) James Turnbull, 02/29/2008 04:26 am


Related issues

Related to Puppet - Feature #3046: Support for changing of password aging and expiration val... Closed 01/14/2010

History

#1 Updated by AJ Christensen about 8 years ago

apparently I’ve overlooked some of the code to make this work – the ‘insync’ feature – needs to be able to detect what a locked or unlocked account looks like which will require some magical regex. Just updating this so I remember when I look at this again..

#2 Updated by AJ Christensen about 8 years ago

  • Status changed from 1 to 2

Have started working on this ticket, see http://git.junglist.gen.nz/?p=puppet.upstream;a=commitdiff;h=14260b8769a45838492ef9a08ebcf2182d4570bd

#3 Updated by micah - about 8 years ago

I was suggesting this… however now that I think about it more, different systems may not respect this. I dont even know if its a standard or not, so it might make more sense for the locking feature to exist and it does the right thing depending on the system’s requirements for locking an account.

#4 Updated by Luke Kanies about 8 years ago

Sounds like the code isn’t quite there, and I’m in a hurry to get 0.24.3 out. When you’ve got the code working, let me know and we can add the ticket to the next release.

#5 Updated by Mark Plaksin about 8 years ago

Maybe you don’t need a magic regex if you use ‘passwd -s user’ to check whether an account is locked?

On Red Hat it looks like this:
# passwd -S happy                                                                                             
happy PS 2007-09-30 0 99999 7 -1 (Password set, MD5 crypt.)                                                                   
# passwd -S bin                                                                                               
bin LK 2007-09-27 0 99999 7 -1 (Alternate authentication scheme in use.)                                                      

On Debian:
# passwd -S happy
happy P 02/19/2007 0 99999 7 -1                                                                                               
# passwd -S bin                                                                           
bin L 02/03/2006 0 99999 7 -1                                                                                                 

On HP-UX:
# passwd -s happy                                                                                                   
happy  PS    09/04/07    0  0                                                                                                 
# passwd -s bin                                                                                                     
bin  LK                                                                                                                       

Solaris:
# passwd -s happy                                                                                                 
happy     PS                                                                                                                  
# passwd -s bin                                                                                                       
bin       LK                                                                                                                  

#6 Updated by AJ Christensen about 8 years ago

Are you suggesting that instead of having a locking feature for the user type, we simply suggest that the user use the password => field to set ‘*’ or ‘+’? also ‘!’ = locked too I think (root comes like this in Ubuntu)

#7 Updated by micah - about 8 years ago

You can do this already by simply setting the password to ‘*’ (allows for ssh-key logins, but no passwords) or ‘+’ (locked account). These formats might be different on different OS', but it works this way in Debian now.

#8 Updated by AJ Christensen about 8 years ago

Putting this on the backburner till 0.24.2 is out.

#9 Updated by Paul Lathrop about 8 years ago

Closed #1106 as a duplicate

#10 Updated by Luke Kanies about 9 years ago

This should now be pretty straightforward with Provider Features.

#11 Updated by Redmine Admin almost 8 years ago

  • Status changed from 2 to Accepted

#12 Updated by James Turnbull over 6 years ago

  • Assignee deleted (AJ Christensen)
  • Affected Puppet version set to 0.25.4rc1

#13 Updated by Matt Robinson over 5 years ago

  • Status changed from Accepted to In Topic Branch Pending Review
  • Affected Puppet version deleted (0.25.4rc1)
  • Keywords set to communitypatch

This may already be solved or not needed anymore. For now I’m just marking tickets with patches that need review, and will make another pass to decide if the tickets are still relevant.

#14 Updated by Nigel Kersten over 5 years ago

  • Status changed from In Topic Branch Pending Review to Rejected

In the absence of any evidence of systems where you can’t lock an account by setting the password hash to a special character, I’m closing this. (I’ve used this functionality on a lot of *nixes)

As per the below thread, we’re more aggressively closing tickets whose state is unsure. You are free to reopen them.

http://groups.google.com/group/puppet-users/browse_thread/thread/a040cb9bc5c5b647

#15 Updated by James Turnbull about 5 years ago

  • Target version deleted (4)

#16 Updated by Matthew Buckett over 2 years ago

Nigel Kersten wrote:

In the absence of any evidence of systems where you can’t lock an account by setting the password hash to a special character, I’m closing this. (I’ve used this functionality on a lot of *nixes)

But doesn’t locking the account (eg using passwd -l on linux) have the advantage that you can unlock the account again and you don’t have to know the password?

Also available in: Atom PDF