hmmm, seems like overkill to me.
this should ideally be a user per host, and the user should be disabled as soon as the host is installed/has the host keytab.

i can continue testing with the 1 day maximum for now. i'll track progress/discuusion via the ticket.


On 03/24/2014 08:53 PM, Alexander Bokovoy wrote:
On Mon, 24 Mar 2014, Stijn De Weirdt wrote:
hi dmitri,

The whole idea of the host passwords is to be added as a part of the
provisioning workflow so it should be seconds anyways.
We created a "smart proxy" for Foreman (provisioning system) to drive
host creation. It just landed upstream (first version) last week.
Any chance you can use or reuse some of the code from it in your
provisioning workflows?
i'll have a closer looks at the code, but the goal is the same.

Also can you explain why the expiration time is needed? I can understand
it being needed if the password is created ahead of time and then not
used for a period of time but here it is really one flow. You can't
predict how much it would be 2 sec or 10 seconds but is it really
important to put a cap on it?
yes. we mark hosts for (re)installation and if this does not get
completed within certain time, something must have gone wrong.
in the meanwhile, we want this security window closed (the OTP
password would be in a kickstart file, which can't be protected that
easily, because it still has to work as a kickstart file). 1 day max
is way too much in this context.
Create user account or group of them, apply needed policy, and use these
users to enroll hosts. This would work already.

Freeipa-users mailing list

Reply via email to