[Freeipa-users] change min and max lifetime of random password

[Alexander Bokovoy]

On Mon, 24 Mar 2014, Stijn De Weirdt wrote:
>hi dmitri,
>
>>The whole idea of the host passwords is to be added as a part of the
>>provisioning workflow so it should be seconds anyways.
>>We created a "smart proxy" for Foreman (provisioning system) to drive
>>host creation. It just landed upstream (first version) last week.
>>Any chance you can use or reuse some of the code from it in your
>>provisioning workflows?
>i'll have a closer looks at the code, but the goal is the same.
>
>>
>>Also can you explain why the expiration time is needed? I can understand
>>it being needed if the password is created ahead of time and then not
>>used for a period of time but here it is really one flow. You can't
>>predict how much it would be 2 sec or 10 seconds but is it really
>>important to put a cap on it?
>yes. we mark hosts for (re)installation and if this does not get 
>completed within certain time, something must have gone wrong.
>in the meanwhile, we want this security window closed (the OTP 
>password would be in a kickstart file, which can't be protected that 
>easily, because it still has to work as a kickstart file). 1 day max 
>is way too much in this context.
Create user account or group of them, apply needed policy, and use these
users to enroll hosts. This would work already.

-- 
/ Alexander Bokovoy