[Freeipa-users] change min and max lifetime of random password

Dmitri Pal dpal at redhat.com
Fri Mar 28 02:01:55 UTC 2014 

On 03/27/2014 09:28 PM, Rob Crittenden wrote:
> Stijn De Weirdt wrote:
>> hi alexander,
>>
>>>> ity would be good anyway to have a script that checks all hosts that
>>>> have not enrolled yet how old the issued password is (even after
>>>> expiration). very useful to spot the state of ongoing deployments and
>>>> to spot problems. how can one obtain the creation time of the
>>>> password? fetch the timestamp from LDAP or is there a nice ipa API for
>>>> it?
>>> Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
>>> and krbLastPwdChange attributes.
>>>
>>> ipa host-show host.name --all --raw
>>>
>>> will give you their values.
>>>
>>> # ipa host-show `hostname` --all --raw |grep krbLast
>>>    krbLastPwdChange: 20140213123016Z
>>>    krbLastSuccessfulAuth: 20140325073031Z
>>>
>>>
>> this does not seem to work on a host that has the random password set
>> (or set a few times), but no keytab was created or other form of
>> authentication:
>>> ipa host-show test.test --all --raw |grep -E 'krb|has_'
>>>   has_password: True
>>>   has_keytab: False
>>>   krbExtraData: AAI3mDRTcm9vdC9hZG1pbkB
>>>   krbPrincipalName: host/test.test at TEST
>>>   objectClass: krbprincipalaux
>>>   objectClass: krbprincipal
>>
>> (this is freeipa 3.3.3 on rhel7 beta)
>
> Right, because it doesn't have Kerberos credentials yet, just a 
> password. We apparently don't set any dates when setting only the host 
> password. Which also means password policy probably wouldn't apply 
> correctly even if you were able to set one. And I guess the question 
> is, should we?
>
> If so we'd need to always add the krbPrincipalAux objectclass and set 
> this value in the password plugin.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

IMO we should not treat the OTP we set for the host enrollment as a 
kerberos password.
I would rather record a time of the creation and validity period when 
the password is set in two new attributes. The validity period should be 
optional and if not provided copied from a system wide policy that can 
be set by default to say 10 min. When we do authentication with OTP we 
should check whether we are already beyond the point when the OTP is 
valid and fail enrollment.  When we validate and clear OTP we do not 
need to change these two attributes, they contain valuable info that 
might be queried later.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list