[Freeipa-users] change min and max lifetime of random password
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 25 07:43:41 UTC 2014
On Tue, 25 Mar 2014, Stijn De Weirdt wrote:
>hi alexander,
>
>>>>No real password is in the kickstart file, OTP will turn itself off
>>>>automatically on enrollment and time has to be within the window of
>>>>opportunity.
>>>>
>>>but the password itself is still valid if the install failed and
>>>someone else tries to use it.
>>Right. Nobody actually prevents you from running a cron job on the
>>server side to lock down these passwords if they were not used up in
>>a fixed amount of time.
>hence my request for password expiration.
>ity would be good anyway to have a script that checks all hosts that
>have not enrolled yet how old the issued password is (even after
>expiration). very useful to spot the state of ongoing deployments and
>to spot problems. how can one obtain the creation time of the
>password? fetch the timestamp from LDAP or is there a nice ipa API
>for it?
Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
and krbLastPwdChange attributes.
ipa host-show host.name --all --raw
will give you their values.
# ipa host-show `hostname` --all --raw |grep krbLast
krbLastPwdChange: 20140213123016Z
krbLastSuccessfulAuth: 20140325073031Z
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list