On Tue, 25 Mar 2014, Stijn De Weirdt wrote:
hi alexander,

No real password is in the kickstart file, OTP will turn itself off
automatically on enrollment and time has to be within the window of

but the password itself is still valid if the install failed and
someone else tries to use it.
Right. Nobody actually prevents you from running a cron job on the
server side to lock down these passwords if they were not used up in
a fixed amount of time.
hence my request for password expiration.
ity would be good anyway to have a script that checks all hosts that have not enrolled yet how old the issued password is (even after expiration). very useful to spot the state of ongoing deployments and to spot problems. how can one obtain the creation time of the password? fetch the timestamp from LDAP or is there a nice ipa API for it?
Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
and krbLastPwdChange attributes.

ipa host-show host.name --all --raw

will give you their values.

# ipa host-show `hostname` --all --raw |grep krbLast
  krbLastPwdChange: 20140213123016Z
  krbLastSuccessfulAuth: 20140325073031Z

/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to