[Freeipa-users] Password issues
Bret Wortman
bret.wortman at damascusgrp.com
Fri Mar 7 01:32:30 UTC 2014
In 26 years, I guarantee this will be someone else's problem.
Bret Wortman
http://bretwortman.com/
http://twitter.com/BretWortman
> On Mar 6, 2014, at 8:25 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 03/06/2014 08:10 AM, Bret Wortman wrote:
>> Just found with some fresh Googling an email from Rob recommending setting the max to 5000. I'll try that.
>
> Just make sure it is not after 2038 because Kerberos uses 32 bit time that rolls over in Feb of 2038.
>
>>
>>
>>> On 03/06/2014 08:08 AM, Bret Wortman wrote:
>>> Is there a way to set a password to not expire? I thought I read somewhere that 0 did that, but apparently not.
>>>
>>>> On 03/06/2014 07:55 AM, Sumit Bose wrote:
>>>>> On Thu, Mar 06, 2014 at 07:39:15AM -0500, Bret Wortman wrote:
>>>>> Strange behavior now with our passwords (and we still haven't solved
>>>>> our problem with the "ipa" command, but at least with script, we
>>>>> have a workaround):
>>>>>
>>>>> I noticed yesterday morning that my password, which has the
>>>>> following policy, was going to expire in 3 days so I changed it.
>>>>>
>>>>> Max lifetime (days) : 0
>>>> I think the behaviour is expected with this maximal lifetime.
>>>>
>>>> bye,
>>>> Sumit
>>>>
>>>>> Min lifetime (hours) : 0
>>>>> History size (number of passwords): 0
>>>>> Character classes: 2
>>>>> Min length: 8
>>>>> Max failures: 4
>>>>> Failure reset interval (seconds): 60
>>>>> Lockout duration (seconds): 60
>>>>>
>>>>> The IPA web UI immediately began reporting in red that "Your
>>>>> password expires in -1 days."
>>>>>
>>>>> This morning, I ran "kinit":
>>>>>
>>>>> $ kinit
>>>>> Password for bretw at DAMASCUSGRP.COM:
>>>>> Password expired. You must change it now.
>>>>> Enter new password:
>>>>> Enter it again:
>>>>> Warning: Your password wille xpire in less than one hour on Thu 06
>>>>> Mar 2014 06:45:48 AM EST
>>>>> $
>>>>>
>>>>> What's up? I'd like to solve this before it bites any of my users,
>>>>> though most have a policy that looks more like this:
>>>>>
>>>>> Max lifetime (days) : 180
>>>>> Min lifetime (hours) : 1
>>>>> History size (number of passwords): 0
>>>>> Character classes: 2
>>>>> Min length: 8
>>>>> Max failures: 6
>>>>> Failure reset interval (seconds): 60
>>>>> Lockout duration (seconds): 600
>>>>>
>>>>>
>>>>> --
>>>>> *Bret Wortman*
>>>>>
>>>>> http://damascusgrp.com/
>>>>> http://about.me/wortmanbret
>>>>
>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140306/9c17421a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2346 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140306/9c17421a/attachment.p7s>
More information about the Freeipa-users
mailing list