User management with hashman and encrypted homes - ghomem/legacy_puppet_infrastructure GitHub Wiki
1.Centrally provision the user
a) It the user does not exist yet, after the machine is defined as a Puppet node, create the user at the puppet master and take note of the random password assigned to the user:
MYUSER=asolido
sudo /opt/puppet-infrastructure/bin/pp_auth.sh useradd $MYUSER [email protected] "Test User" AS SILENT
sudo /opt/puppet-infrastructure/bin/pp_auth.sh unlock $MYUSER 'Initial user creation'
sudo /opt/puppet-infrastructure/bin/pp_auth.sh unexpire $MYUSER
b) If the user already exists at the puppet master delete the corresponding ecryptfs paramters and then reset the password taking note of the random password assigned to the user::
MYUSER=asolido
sudo /opt/puppet-infrastructure/bin/pp_auth.sh unsetecryptfs $MYUSER
sudo /opt/puppet-infrastructure/bin/pp_auth.sh reset $MYUSER
sudo /opt/puppet-infrastructure/bin/pp_auth.sh unexpire $MYUSER
2.Create the same user at the Puppet node with encrypted home directory - usually a laptop or a desktop - choosing as password the random temporary password mentioned above:
MYUSER=asolido
sudo adduser --encrypt-home $MYUSER
3.Continue the configuration at the Puppet node by finding the ecryptfs parameters converted to base64:
echo `sudo cat /home/.ecryptfs/$MYUSER/.ecryptfs/Private.sig | base64 -w 0`
echo `sudo cat /home/.ecryptfs/$MYUSER/.ecryptfs/wrapped-passphrase | base64 -w 0`
4.At the Puppet master set the base64 converted ecryptfs parameters:
# NOTE: replace below:
# PPSIGS with the output of the first command above
# PPWRAPPED with the output of the second command above
sudo /opt/puppet-infrastructure/bin/pp_auth.sh setecryptfs $MYUSER PPSIGS PPWRAPPED
5.From this point on, a password change can be triggered at the puppet master by means of the reset command using the temporary password:
sudo /opt/puppet-infrastructure/bin/pp_auth.sh reset $MYUSER TEMPPASS
and letting the user perform the change at the web interface, once the corresponding email is received.
6.Once this is done, the declaration of the user can be added to the node declaration at the corresponding manifest (e.g. dell-prt30.pp or latitude01.pp). The declaration can be obtained with the following command:
sudo /opt/puppet-infrastructure/bin/pp_auth.sh printinfo $MYUSER
The resource type to use will be either user_desktop or user_sudoer_desktop.
7.Now we only need to execute the puppet agent at the node. It can be done from the puppet master by means of:
sudo mco shell run '/opt/puppetlabs/bin/puppet agent --test' -I 'NODENAME'
After this command the user should be able to login at the desktop with the password defined at the Hashman Web Interface.
Troubleshooting
To remove any leftovers of the user presence in the laptop in case the process needs to be repeated, you will need to execute these commands in the laptop in question:
MYUSER=asolido
sudo puppet agent --disable # remember to re-enable after you manage the user with hashman
sudo killall -u $MYUSER >& /dev/null
sudo deluser --remove-home $MYUSER >& /dev/null
sudo umount /home/$MYUSER >& /dev/null
sudo rm -r /home/$MYUSER >& /dev/null
sudo rm -f /home/.ecryptfs/$MYUSER >& /dev/null
After that, you should be able to repeat any of the steps above to manage the user with hashman, once you are done, you can re-enable the puppet agent with:
sudo puppet agent --enable
This is something we usually need for technical/devops users:
sudo /opt/puppet-infrastructure/bin/pp_auth.sh setpubkey USER PUBKEY
NOTE: PUBKEY is the "central" part of the ssh public key, without ssh-rsa or user@hostname
The reset of passwords for users with encrypted homes can only be done knowing the previous password. That makes it impossible for a sysadmin to reset a password independently.
A password reset done via hashman CLI without passing the previous password as argument would prevent the desktop login from decrypting the user home. In this case it would be necessary to delete the user and redo the initial provisioning - all the user information would be lost.
To perform a password change we need to use the reset command passing the previous password as na argument:
sudo /opt/puppet-infrastructure/bin/pp_auth.sh reset USER PREVIOUSPASSWORD
and letting the user perform the password change at the Hashman Web Interface, once the reset password email is received. After that is done the puppet agent must be executed at the user desktop machine:
mco shell run '/opt/puppetlabs/bin/puppet agent --test' -I 'NODENAME'
Once this is done, the user, while still logged in, should test the password with:
su - USERNAME
If the user is sudoer the following command should also be tested:
sudo whoami
Now the desktop machine should be rebooted and the user should be able to login.