On 10/01/2012 12:19 PM, Darren Duncan wrote:
> You should never put your passwords (or private keys) in source control;
> it would be better to use the puppet/bcfg option.
That was kind of my point. Puppet / Bcfg2 have the same problem. About a
dozen people have access to our bcfg2 repo than I would want to know the
contents of .pgpass.
We have twenty machines. If I ever change that file, I have to change it
in 20 places. I'd love to put it in bcfg2, but that necessitates
allowing anyone with access to bcfg2 the ability to read it. No go.
You basically just reiterated my question back to me. ;) I'd like to
*stop* manually copying the files around, but can't because they're
completely plain text. It doesn't matter if it's source control, puppet,
bcfg2, cfengine, or anything else; unauthorized people can read them,
and I rather they didn't.
Encrypted passwords would be nice, but apparently this isn't an option.
--
Shaun Thomas
OptionsHouse | 141 W. Jackson Blvd. | Suite 500 | Chicago IL, 60604
312-444-8534
sthomas@optionshouse.com
______________________________________________
See http://www.peak6.com/email_disclaimer/ for terms and conditions related to this email