Patch was posted for review on Feb 19th, but may have missed due to volume,
priorities, etc.

What always seemed odd to me was where the time sync occurred not the
association of entering a password immediately after a user prompt. It made
more sense to me to have time sync before any configuration or krb
usage/user prompts in general.


On Tue, Mar 18, 2014 at 9:09 AM, Alexander Bokovoy <>wrote:

> On Tue, 18 Mar 2014, Petr Viktorin wrote:
>> On 03/18/2014 03:50 PM, Rob Crittenden wrote:
>>> Petr Viktorin wrote:
>>>> AFAIK this patch was only posted to Trac, where it was kind of
>>>> forgotten. Let's move it to the mailing list.
>>>> It looks & works fine, ACK for those aspects. But Dmitri had some
>>>> concerns about the validity of the ticket itself:
>>>>  Unusual but not critical. In future this can be an OTP prompt rather
>>>>> than
>>>>> password prompt and making sure time is correct on both sides might be
>>>>> more critical. I do not see a big problem with a slight delay. Banks
>>>>> now
>>>>> prompt people for user name on one page and then for password on
>>>>> another.
>>>>> It is a common practice. I would think that decoupling the prompts and
>>>>> getting people used to it is a benefit rather than a hassle. The trend
>>>>> of prompting for user and password independently should continue.
>>>>> We should make it more usable if there are usability concerns but IMO
>>>>> we
>>>>> should not be trying to push people back to traditional notion of "user
>>>>> name and password are always together". They are not.
>>>> It may be common practice but it doesn't really make sense to temporally
>>>> split related actions if there's no need for it. It is annoying. In the
>>>> banks case, the login pages follow one another, they don't insert some
>>>> completely unrelated output in the middle of the login process.
>>>> If we want to teach new expectations to users, ipa-client-install is not
>>>> the place to do it.
>>>> The OTP case will work since with the patch, time is synced before both
>>>> prompts.
>>>> The comment gives a good reason to move the ticket to Backlog, but since
>>>> we have a fix I'd like to push it.
>>> IIRC Alexander purposely put the time sync in here to ensure that at the
>>> time we actually obtain the password time is in sync. I can't say I
>>> always agreed with that, but it does make a certain amount of sense.
>> Was that really a conscious decision?
>> The only thing between the old and new calls of the sync is the actual
>> password entry. I don't think we should worry about clocks de-syncing while
>> the admin enters a password.
> See my other answer. :)
> --
> / Alexander Bokovoy
> _______________________________________________
> Freeipa-devel mailing list
Freeipa-devel mailing list

Reply via email to