... | ... | @@ -502,14 +502,19 @@ because code is stored in git, but also, ultimately, we want to |
|
|
publish that source code publicly.
|
|
|
|
|
|
We have two mechanisms on how to do this now: a HKDF to generate
|
|
|
passwords by hashing a common secret, and Trocla, which is currently
|
|
|
[in testing][].
|
|
|
passwords by hashing a common secret, and Trocla, which generates
|
|
|
random passwords and stores the hash or, if necessary, the cleartext
|
|
|
in a YAML file.. The HKDF function is deprecated and should be
|
|
|
[replaced by Trocla][trocla-migration] eventually.
|
|
|
|
|
|
[in testing]: https://bugs.torproject.org/30009
|
|
|
[trocla-migration]: https://bugs.torproject.org/30009
|
|
|
|
|
|
### hkdf
|
|
|
|
|
|
Most passwords in Puppet are managed through a [Key Derivation
|
|
|
NOTE: this procedure is DEPRECATED and Trocla should be used instead,
|
|
|
see the [trocla migration ticket][trocla-migration] for details.
|
|
|
|
|
|
Old passwords in Puppet are managed through a [Key Derivation
|
|
|
Function][] (KDF), more specifically a [hash-based KDF][] that takes a
|
|
|
secret stored on the Puppet master (in `/etc/puppet/secret`)
|
|
|
concatenates this with a unique token picked by the caller, and
|
... | ... | @@ -583,7 +588,6 @@ general, it's safe to use `trocla create` as it will reuse existing |
|
|
password. It's actually how the `trocla()` function behaves in Puppet
|
|
|
as well.
|
|
|
|
|
|
|
|
|
## Getting facts from other hosts
|
|
|
|
|
|
TODO: expand.
|
... | ... | |