[Freeipa-users] change min and max lifetime of random password

[Stijn De Weirdt]

https://fedorahosted.org/freeipa/ticket/4272

On 03/24/2014 08:44 PM, Stijn De Weirdt wrote:
> hi dmitri,
>
>> The whole idea of the host passwords is to be added as a part of the
>> provisioning workflow so it should be seconds anyways.
>> We created a "smart proxy" for Foreman (provisioning system) to drive
>> host creation. It just landed upstream (first version) last week.
>> Any chance you can use or reuse some of the code from it in your
>> provisioning workflows?
> i'll have a closer looks at the code, but the goal is the same.
>
>>
>> Also can you explain why the expiration time is needed? I can understand
>> it being needed if the password is created ahead of time and then not
>> used for a period of time but here it is really one flow. You can't
>> predict how much it would be 2 sec or 10 seconds but is it really
>> important to put a cap on it?
> yes. we mark hosts for (re)installation and if this does not get
> completed within certain time, something must have gone wrong.
> in the meanwhile, we want this security window closed (the OTP password
> would be in a kickstart file, which can't be protected that easily,
> because it still has to work as a kickstart file). 1 day max is way too
> much in this context.
>
>>
>> If this is desired the right feature would be to add couple attributes
>> to the host entry: creation time and validity interval and set them when
>> the password is created. But it is more than a quick fix. You a welcome
>> to file and RFE and putt all the details in the ticket.
> ok, will do.
>
>
> stijn
>>
>>
>>
>>
>>>
>>> many thanks,
>>>
>>> stijn
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>