[Freeipa-users] change min and max lifetime of random password

[Stijn De Weirdt]

hi all,

> IMO we should not treat the OTP we set for the host enrollment as a
> kerberos password.
> I would rather record a time of the creation and validity period when
> the password is set in two new attributes. The validity period should be
> optional and if not provided copied from a system wide policy that can
> be set by default to say 10 min. When we do authentication with OTP we
> should check whether we are already beyond the point when the OTP is
> valid and fail enrollment.  When we validate and clear OTP we do not
> need to change these two attributes, they contain valuable info that
> might be queried later.
>
i like this idea. full host password policy is probably overkill for an 
OTP that only makes sense once in the lifetime of the host (OTP here 
means not only is the password itself only valid once; the whole 
password authentication is only valid/usable once).

btw, is it easy (as in API exists) to add new (site specific) attributes 
for a host? if so, i can already toy around with it for now. (storing 
the creation time in it and some cron job might suffice for now)

stijn