[Freeipa-users] change min and max lifetime of random password
Stijn De Weirdt
stijn.deweirdt at ugent.be
Sat Mar 29 12:54:03 UTC 2014
hi all,
> IMO we should not treat the OTP we set for the host enrollment as a
> kerberos password.
> I would rather record a time of the creation and validity period when
> the password is set in two new attributes. The validity period should be
> optional and if not provided copied from a system wide policy that can
> be set by default to say 10 min. When we do authentication with OTP we
> should check whether we are already beyond the point when the OTP is
> valid and fail enrollment. When we validate and clear OTP we do not
> need to change these two attributes, they contain valuable info that
> might be queried later.
>
i like this idea. full host password policy is probably overkill for an
OTP that only makes sense once in the lifetime of the host (OTP here
means not only is the password itself only valid once; the whole
password authentication is only valid/usable once).
btw, is it easy (as in API exists) to add new (site specific) attributes
for a host? if so, i can already toy around with it for now. (storing
the creation time in it and some cron job might suffice for now)
stijn
More information about the Freeipa-users
mailing list