-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
> Has anyone come up with a good solution for distributing a .pgpass file
> that doesn't expose it to anyone who has access to the distribution
> mechanism?
No, you cannot easily keep it in version control/puppet securely.
One way is to have an external script that does the jobs of
puppet, e.g. for $server in @list do cp pgpass $server/...
Alternatively, use gpg to encrypt the pgpass file, then put *that*
into version control and distribute it. Then have a script on the
server that decrypts it into place. Yes, you have to manually
distribute the encryption key to the servers, but it is a one-time
event, and you can push out changes to the pgpass file easily, and
automate the decrypt-on-the-server bit, including by puppet itself.
It's not clear what the exact threat model is here, but you could
also simply not use pgpass, and find some other means to authenticate.
- --
Greg Sabino Mullane greg@turnstep.com
End Point Corporation http://www.endpoint.com/
PGP Key: 0x14964AC8 201210011859
http://biglumber.com/x/web?pk=2529DF6AB8F79407E94445B4BC9B906714964AC8
-----BEGIN PGP SIGNATURE-----
iEYEAREDAAYFAlBqIOsACgkQvJuQZxSWSshUhgCgtRGVCRLs9F+KPu2RR+rmOVeq
7T8An1ZPdvlEkciRuLiioi2LbSJUTl2f
=GEi7
-----END PGP SIGNATURE-----