[Freeipa-users] change min and max lifetime of random password

[Stijn De Weirdt]

hmmm, seems like overkill to me.
this should ideally be a user per host, and the user should be disabled 
as soon as the host is installed/has the host keytab.

i can continue testing with the 1 day maximum for now. i'll track 
progress/discuusion via the ticket.

stijn

On 03/24/2014 08:53 PM, Alexander Bokovoy wrote:
> On Mon, 24 Mar 2014, Stijn De Weirdt wrote:
>> hi dmitri,
>>
>>> The whole idea of the host passwords is to be added as a part of the
>>> provisioning workflow so it should be seconds anyways.
>>> We created a "smart proxy" for Foreman (provisioning system) to drive
>>> host creation. It just landed upstream (first version) last week.
>>> Any chance you can use or reuse some of the code from it in your
>>> provisioning workflows?
>> i'll have a closer looks at the code, but the goal is the same.
>>
>>>
>>> Also can you explain why the expiration time is needed? I can understand
>>> it being needed if the password is created ahead of time and then not
>>> used for a period of time but here it is really one flow. You can't
>>> predict how much it would be 2 sec or 10 seconds but is it really
>>> important to put a cap on it?
>> yes. we mark hosts for (re)installation and if this does not get
>> completed within certain time, something must have gone wrong.
>> in the meanwhile, we want this security window closed (the OTP
>> password would be in a kickstart file, which can't be protected that
>> easily, because it still has to work as a kickstart file). 1 day max
>> is way too much in this context.
> Create user account or group of them, apply needed policy, and use these
> users to enroll hosts. This would work already.
>