[Freeipa-users] change min and max lifetime of random password
Stijn De Weirdt
stijn.deweirdt at ugent.be
Mon Mar 24 19:44:05 UTC 2014
hi dmitri,
> The whole idea of the host passwords is to be added as a part of the
> provisioning workflow so it should be seconds anyways.
> We created a "smart proxy" for Foreman (provisioning system) to drive
> host creation. It just landed upstream (first version) last week.
> Any chance you can use or reuse some of the code from it in your
> provisioning workflows?
i'll have a closer looks at the code, but the goal is the same.
>
> Also can you explain why the expiration time is needed? I can understand
> it being needed if the password is created ahead of time and then not
> used for a period of time but here it is really one flow. You can't
> predict how much it would be 2 sec or 10 seconds but is it really
> important to put a cap on it?
yes. we mark hosts for (re)installation and if this does not get
completed within certain time, something must have gone wrong.
in the meanwhile, we want this security window closed (the OTP password
would be in a kickstart file, which can't be protected that easily,
because it still has to work as a kickstart file). 1 day max is way too
much in this context.
>
> If this is desired the right feature would be to add couple attributes
> to the host entry: creation time and validity interval and set them when
> the password is created. But it is more than a quick fix. You a welcome
> to file and RFE and putt all the details in the ticket.
ok, will do.
stijn
>
>
>
>
>>
>> many thanks,
>>
>> stijn
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
More information about the Freeipa-users
mailing list