One of the most common system administration tasks is setting up user accounts. We'll see how Puppet can help with this in a moment, but first a word about the kind of user configuration we should be aiming for.
Organizations with good security and access control practices tend to use some or all of the following policies:
Everyone who needs access to a machine has her own user account with an SSH key (not a password)
Access to special-purpose accounts, such as those used to deploy and run applications, or a database, is controlled by authorizing specific SSH keys, rather than using passwords
Accounts that need certain, specific superuser privileges can get them via the
sudo
mechanismThe
root
account is not accessible via the network (but there is secure, out-of-band access to the system console)Third parties, such as contractors and support staff, get temporary access with limited privileges, which can be revoked once a job is finished
Setting up policies like...