Puppet-Passwords as plain text in Windows agent output and in catalog file











up vote
0
down vote

favorite












I encrypted password using hiera:



dsc_xADUser {'FirstUser':



            dsc_ensure => 'present',

            dsc_domainname => 'ad.contoso.com',

            dsc_username   => 'tfl',

            dsc_userprincipalname => 'tfl@ad.contoso.com',

            dsc_password   => {

            'user' => 'tfl@ad.contoso.com',

            'password' => Sensitive(lookup('password'))

            },

            dsc_passwordneverexpires => true,

            dsc_domainadministratorcredential => {

            'user'  => 'Administrator@ad.contoso.com',

            'password' => Sensitive(lookup('password'))

            },



        }


but on node,when running agent -t -v password is shown as plain text in agent output and in catalog JSON file.



I also tried node_encrypt(lookup('password')) then getting content of my encrypted password (which is good) and windows complains that password doesn't meet password complexity (bad-because it's trying to set all below as password)



 'password' = '-----BEGIN PKCS7-----

    MIIMyQYJKoZIhvcNAQcDoIIMujCCDLYCAQAxggKdMIICmQIBADCBgjB9MXsweQYD

    VQQDDHJQdXBwZXQgRW50ZXJwcmlzZSBDQSBnZW5lcmF0ZWQgb24gbXlwdXBwZXQt

    eGwwZGJ5a212Z2xrYnl2eS5ldS13ZXN0LTEub3Bzd29ya3MtY20uaW8gYXQgKzIw

    MTgtMTEtMDIgMTQ6MDQ6MDAgKzAwMDACAQUwCwYJKoZIhvcNAQEBBIICABkJDfGb

    4CdHUntrVR1E......


hiera config:



---

version: 5

defaults:

  datadir: data

  data_hash: yaml_data



hierarchy:

  - name: "Eyaml hierarchy"

    lookup_key: eyaml_lookup_key # eyaml backend

    paths:

      - "nodes/%{trusted.certname}.yaml"

      - "windowspass.eyaml"

    options:

        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"

        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"


EDIT: just found this, it seems it's opened issue and related to Windows only



UPDATE: i managed to configure puppet not to cache catalog file on Windows client (adding catalog_cache_terminus="" to puppet config file on windows so i'll use this as "workaround", it seems no way to remove passwords from agent debug output






puppet puppet-enterprise hiera







share|improve this question
























  • The dsc_xADUser provider(s) may not fully support the Sensitive data type with regard to logging. You should probably open an issue for the module about this.
    – Matt Schuchard
    Nov 5 at 15:42










  • have no credentials to their JIRA :)
    – xerks
    Nov 5 at 15:51










  • It is a puppetlabs module? You can create an account in their JIRA for free to post it. If you have a Puppet Enterprise support account, you can open a ticket pointing at the issue to expedite it.
    – Matt Schuchard
    Nov 5 at 15:53










  • yes, it's puppetlab module, just created issue, thanks:tickets.puppetlabs.com/browse/MODULES-8213
    – xerks
    Nov 5 at 16:12















up vote
0
down vote

favorite












I encrypted password using hiera:



dsc_xADUser {'FirstUser':



            dsc_ensure => 'present',

            dsc_domainname => 'ad.contoso.com',

            dsc_username   => 'tfl',

            dsc_userprincipalname => 'tfl@ad.contoso.com',

            dsc_password   => {

            'user' => 'tfl@ad.contoso.com',

            'password' => Sensitive(lookup('password'))

            },

            dsc_passwordneverexpires => true,

            dsc_domainadministratorcredential => {

            'user'  => 'Administrator@ad.contoso.com',

            'password' => Sensitive(lookup('password'))

            },



        }


but on node,when running agent -t -v password is shown as plain text in agent output and in catalog JSON file.



I also tried node_encrypt(lookup('password')) then getting content of my encrypted password (which is good) and windows complains that password doesn't meet password complexity (bad-because it's trying to set all below as password)



 'password' = '-----BEGIN PKCS7-----

    MIIMyQYJKoZIhvcNAQcDoIIMujCCDLYCAQAxggKdMIICmQIBADCBgjB9MXsweQYD

    VQQDDHJQdXBwZXQgRW50ZXJwcmlzZSBDQSBnZW5lcmF0ZWQgb24gbXlwdXBwZXQt

    eGwwZGJ5a212Z2xrYnl2eS5ldS13ZXN0LTEub3Bzd29ya3MtY20uaW8gYXQgKzIw

    MTgtMTEtMDIgMTQ6MDQ6MDAgKzAwMDACAQUwCwYJKoZIhvcNAQEBBIICABkJDfGb

    4CdHUntrVR1E......


hiera config:



---

version: 5

defaults:

  datadir: data

  data_hash: yaml_data



hierarchy:

  - name: "Eyaml hierarchy"

    lookup_key: eyaml_lookup_key # eyaml backend

    paths:

      - "nodes/%{trusted.certname}.yaml"

      - "windowspass.eyaml"

    options:

        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"

        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"


EDIT: just found this, it seems it's opened issue and related to Windows only



UPDATE: i managed to configure puppet not to cache catalog file on Windows client (adding catalog_cache_terminus="" to puppet config file on windows so i'll use this as "workaround", it seems no way to remove passwords from agent debug output






puppet puppet-enterprise hiera







share|improve this question
























  • The dsc_xADUser provider(s) may not fully support the Sensitive data type with regard to logging. You should probably open an issue for the module about this.
    – Matt Schuchard
    Nov 5 at 15:42










  • have no credentials to their JIRA :)
    – xerks
    Nov 5 at 15:51










  • It is a puppetlabs module? You can create an account in their JIRA for free to post it. If you have a Puppet Enterprise support account, you can open a ticket pointing at the issue to expedite it.
    – Matt Schuchard
    Nov 5 at 15:53










  • yes, it's puppetlab module, just created issue, thanks:tickets.puppetlabs.com/browse/MODULES-8213
    – xerks
    Nov 5 at 16:12













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I encrypted password using hiera:



dsc_xADUser {'FirstUser':



            dsc_ensure => 'present',

            dsc_domainname => 'ad.contoso.com',

            dsc_username   => 'tfl',

            dsc_userprincipalname => 'tfl@ad.contoso.com',

            dsc_password   => {

            'user' => 'tfl@ad.contoso.com',

            'password' => Sensitive(lookup('password'))

            },

            dsc_passwordneverexpires => true,

            dsc_domainadministratorcredential => {

            'user'  => 'Administrator@ad.contoso.com',

            'password' => Sensitive(lookup('password'))

            },



        }


but on node,when running agent -t -v password is shown as plain text in agent output and in catalog JSON file.



I also tried node_encrypt(lookup('password')) then getting content of my encrypted password (which is good) and windows complains that password doesn't meet password complexity (bad-because it's trying to set all below as password)



 'password' = '-----BEGIN PKCS7-----

    MIIMyQYJKoZIhvcNAQcDoIIMujCCDLYCAQAxggKdMIICmQIBADCBgjB9MXsweQYD

    VQQDDHJQdXBwZXQgRW50ZXJwcmlzZSBDQSBnZW5lcmF0ZWQgb24gbXlwdXBwZXQt

    eGwwZGJ5a212Z2xrYnl2eS5ldS13ZXN0LTEub3Bzd29ya3MtY20uaW8gYXQgKzIw

    MTgtMTEtMDIgMTQ6MDQ6MDAgKzAwMDACAQUwCwYJKoZIhvcNAQEBBIICABkJDfGb

    4CdHUntrVR1E......


hiera config:



---

version: 5

defaults:

  datadir: data

  data_hash: yaml_data



hierarchy:

  - name: "Eyaml hierarchy"

    lookup_key: eyaml_lookup_key # eyaml backend

    paths:

      - "nodes/%{trusted.certname}.yaml"

      - "windowspass.eyaml"

    options:

        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"

        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"


EDIT: just found this, it seems it's opened issue and related to Windows only



UPDATE: i managed to configure puppet not to cache catalog file on Windows client (adding catalog_cache_terminus="" to puppet config file on windows so i'll use this as "workaround", it seems no way to remove passwords from agent debug output






puppet puppet-enterprise hiera







share|improve this question















I encrypted password using hiera:



dsc_xADUser {'FirstUser':



            dsc_ensure => 'present',

            dsc_domainname => 'ad.contoso.com',

            dsc_username   => 'tfl',

            dsc_userprincipalname => 'tfl@ad.contoso.com',

            dsc_password   => {

            'user' => 'tfl@ad.contoso.com',

            'password' => Sensitive(lookup('password'))

            },

            dsc_passwordneverexpires => true,

            dsc_domainadministratorcredential => {

            'user'  => 'Administrator@ad.contoso.com',

            'password' => Sensitive(lookup('password'))

            },



        }


but on node,when running agent -t -v password is shown as plain text in agent output and in catalog JSON file.



I also tried node_encrypt(lookup('password')) then getting content of my encrypted password (which is good) and windows complains that password doesn't meet password complexity (bad-because it's trying to set all below as password)



 'password' = '-----BEGIN PKCS7-----

    MIIMyQYJKoZIhvcNAQcDoIIMujCCDLYCAQAxggKdMIICmQIBADCBgjB9MXsweQYD

    VQQDDHJQdXBwZXQgRW50ZXJwcmlzZSBDQSBnZW5lcmF0ZWQgb24gbXlwdXBwZXQt

    eGwwZGJ5a212Z2xrYnl2eS5ldS13ZXN0LTEub3Bzd29ya3MtY20uaW8gYXQgKzIw

    MTgtMTEtMDIgMTQ6MDQ6MDAgKzAwMDACAQUwCwYJKoZIhvcNAQEBBIICABkJDfGb

    4CdHUntrVR1E......


hiera config:



---

version: 5

defaults:

  datadir: data

  data_hash: yaml_data



hierarchy:

  - name: "Eyaml hierarchy"

    lookup_key: eyaml_lookup_key # eyaml backend

    paths:

      - "nodes/%{trusted.certname}.yaml"

      - "windowspass.eyaml"

    options:

        pkcs7_private_key: "/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem"

        pkcs7_public_key: "/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem"


EDIT: just found this, it seems it's opened issue and related to Windows only



UPDATE: i managed to configure puppet not to cache catalog file on Windows client (adding catalog_cache_terminus="" to puppet config file on windows so i'll use this as "workaround", it seems no way to remove passwords from agent debug output






puppet puppet-enterprise hiera




puppet puppet-enterprise hiera






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 9 at 17:05

























asked Nov 5 at 11:54









xerks

7311




7311












  • The dsc_xADUser provider(s) may not fully support the Sensitive data type with regard to logging. You should probably open an issue for the module about this.
    – Matt Schuchard
    Nov 5 at 15:42










  • have no credentials to their JIRA :)
    – xerks
    Nov 5 at 15:51










  • It is a puppetlabs module? You can create an account in their JIRA for free to post it. If you have a Puppet Enterprise support account, you can open a ticket pointing at the issue to expedite it.
    – Matt Schuchard
    Nov 5 at 15:53










  • yes, it's puppetlab module, just created issue, thanks:tickets.puppetlabs.com/browse/MODULES-8213
    – xerks
    Nov 5 at 16:12


















  • The dsc_xADUser provider(s) may not fully support the Sensitive data type with regard to logging. You should probably open an issue for the module about this.
    – Matt Schuchard
    Nov 5 at 15:42










  • have no credentials to their JIRA :)
    – xerks
    Nov 5 at 15:51










  • It is a puppetlabs module? You can create an account in their JIRA for free to post it. If you have a Puppet Enterprise support account, you can open a ticket pointing at the issue to expedite it.
    – Matt Schuchard
    Nov 5 at 15:53










  • yes, it's puppetlab module, just created issue, thanks:tickets.puppetlabs.com/browse/MODULES-8213
    – xerks
    Nov 5 at 16:12
















The dsc_xADUser provider(s) may not fully support the Sensitive data type with regard to logging. You should probably open an issue for the module about this.
– Matt Schuchard
Nov 5 at 15:42




The dsc_xADUser provider(s) may not fully support the Sensitive data type with regard to logging. You should probably open an issue for the module about this.
– Matt Schuchard
Nov 5 at 15:42












have no credentials to their JIRA :)
– xerks
Nov 5 at 15:51




have no credentials to their JIRA :)
– xerks
Nov 5 at 15:51












It is a puppetlabs module? You can create an account in their JIRA for free to post it. If you have a Puppet Enterprise support account, you can open a ticket pointing at the issue to expedite it.
– Matt Schuchard
Nov 5 at 15:53




It is a puppetlabs module? You can create an account in their JIRA for free to post it. If you have a Puppet Enterprise support account, you can open a ticket pointing at the issue to expedite it.
– Matt Schuchard
Nov 5 at 15:53












yes, it's puppetlab module, just created issue, thanks:tickets.puppetlabs.com/browse/MODULES-8213
– xerks
Nov 5 at 16:12




yes, it's puppetlab module, just created issue, thanks:tickets.puppetlabs.com/browse/MODULES-8213
– xerks
Nov 5 at 16:12

















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53153923%2fpuppet-passwords-as-plain-text-in-windows-agent-output-and-in-catalog-file%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53153923%2fpuppet-passwords-as-plain-text-in-windows-agent-output-and-in-catalog-file%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Schultheiß

Image
Der Titel dieses Artikels ist mehrdeutig. Weitere Bedeutungen sind unter Schultheiß (Begriffsklärung) aufgeführt. Ein Schultheiß. Holzschnitt von Peter Flötner (16. Jahrhundert) Der Schultheiß oder Schuldheiß (von althochdeutsch  sculdheizo ‚Leistung Befehlender‘, vgl. mittelniederdeutsch  schult(h)ēte , latinisiert (mittellat.) sculte(t)us , schwäbisch heute noch Schultes für „Bürgermeister“) bezeichnet einen in vielen westgermanischen Rechtsordnungen vorgesehenen Beamten, der Schuld heischt : Er hatte im Auftrag seines Herren (Landesherrn, Stadtherrn, Grundherrn) die Mitglieder einer Gemeinde zur Leistung ihrer Schuldigkeit anzuhalten, also Abgaben einzuziehen oder für das Beachten anderer Verpflichtungen Sorge zu tragen. Sprachliche Varianten des Schultheißen sind Schulte , Schultes oder Schulze . Früher wurde zwischen dem Stadtschulzen und dem Dorfschulzen unterschieden. In der städtischen Gerichts- und Gemeindeverfassung war er ein vom städtischen Rat oder vom L...
Read more

Verwaltungsgliederung Dänemarks

Image
Das Königreich Dänemark umfasst neben dem kontinentaleuropäischen Kernland auch die autonomen Außengebiete Färöer und Grönland. Die staatsrechtliche Einheit von Mutterland und ehemaligen Besitzungen wird als „Reichsgemeinschaft“ (dänisch rigsfællesskabet ) bezeichnet. Die Verwaltungsgliederung des dänischen Kernlandes umfasst seit dem 1. Januar 2007 fünf Regionen und 98 Kommunen. Die Amtsbezirke/Kreise (dän. amt ) wurden im Zuge einer Gebietsreform abgeschafft. Ihre Zuständigkeiten wurden auf Regional- und kommunale Ebene verteilt. Inhaltsverzeichnis 1 Regionen 2 Kommunen 3 Historische Verwaltungsgliederungen 3.1 Älteste Strukturen 3.2 Bistümer (ab 10. Jahrhundert) 3.3 17. und 18. Jahrhundert 3.4 Von 1793 bis 1970 3.5 Von 1970 bis 2007 3.5.1 Fusionen bis Ende 2006 und große Kommunalgebietsreform 4 Literatur 5 Einzelnachweise 6 Weblinks Regionen | → Hauptartikel : Region (Dänemark) Dänemarks Regionen (seit 2007...
Read more

Liste der Kulturdenkmale in Wilsdruff

Image
Wappen von Wilsdruff Die Liste der Kulturdenkmale in Wilsdruff enthält die Kulturdenkmale in Wilsdruff. Die Anmerkungen sind zu beachten. Diese Liste ist eine Teilliste der Liste der Kulturdenkmale im Landkreis Sächsische Schweiz-Osterzgebirge. Diese Liste ist eine Teilliste der Liste der Kulturdenkmale in Sachsen. Inhaltsverzeichnis 1 Legende 2 Wilsdruff 3 Birkenhain 4 Blankenstein 5 Braunsdorf 6 Grumbach 7 Grund 8 Helbigsdorf 9 Herzogswalde 10 Kaufbach 11 Kesselsdorf 12 Kleinopitz 13 Limbach 14 Mohorn 15 Oberhermsdorf 16 Anmerkungen 17 Ausführliche Denkmaltexte 18 Quellen 19 Weblinks Legende | Bild: zeigt ein Bild des Kulturdenkmals und gegebenenfalls einen Link zu weiteren Fotos des Kulturdenkmals Bezeichnung: Name, Bezeichnung oder die Art des Kulturdenkmals Lage: Straßenname und wenn vorhanden Hausnummer des Kulturdenkmals; Grundsortierung der Liste erfolgt nach dieser A...
Read more