[Freeipa-users] change min and max lifetime of random password

Alexander Bokovoy abokovoy at redhat.com
Mon Mar 24 20:47:22 UTC 2014 

On Mon, 24 Mar 2014, Rob Crittenden wrote:
>Alexander Bokovoy wrote:
>>On Mon, 24 Mar 2014, Stijn De Weirdt wrote:
>>>hi dmitri,
>>>
>>>>The whole idea of the host passwords is to be added as a part of the
>>>>provisioning workflow so it should be seconds anyways.
>>>>We created a "smart proxy" for Foreman (provisioning system) to drive
>>>>host creation. It just landed upstream (first version) last week.
>>>>Any chance you can use or reuse some of the code from it in your
>>>>provisioning workflows?
>>>i'll have a closer looks at the code, but the goal is the same.
>>>
>>>>
>>>>Also can you explain why the expiration time is needed? I can understand
>>>>it being needed if the password is created ahead of time and then not
>>>>used for a period of time but here it is really one flow. You can't
>>>>predict how much it would be 2 sec or 10 seconds but is it really
>>>>important to put a cap on it?
>>>yes. we mark hosts for (re)installation and if this does not get
>>>completed within certain time, something must have gone wrong.
>>>in the meanwhile, we want this security window closed (the OTP
>>>password would be in a kickstart file, which can't be protected that
>>>easily, because it still has to work as a kickstart file). 1 day max
>>>is way too much in this context.
>>Create user account or group of them, apply needed policy, and use these
>>users to enroll hosts. This would work already.
>>
>
>No, because then you have to either ship keytabs around during 
>provisioning or hardcode that user's password in the kickstart and 
>they are already nervous about doing that for the OTP.
This topic raises regularly on IRC. My suggestion was to create these
one time passwords based on some function of time and host parameters
you can control centrally, for example, IP address. 

For example, using Python expression:

>>> from time import gmtime
>>> addr = "192.168.0.1"
>>> time = lambda t : list(t[:4]) + [(t[4] / 15) * 15]
>>> pw = lambda t, a: ''.join(a.split('.') + map(lambda x: '{:02d}'.format(x), t))
>>> pw(time(gmtime()), addr)
'19216801201403242030'

i.e. a password is an IP address octets concatenated with date and time
rounded down to 15 minutes.

Then ship the function to calculate the OTP as part of kickstart file.
Only a password generated when running install within 15 minutes window of
setting OTP on the server will work if IP address is the same as defined
on the server.

No real password is in the kickstart file, OTP will turn itself off
automatically on enrollment and time has to be within the window of
opportunity.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list