On 03/27/2014 09:28 PM, Rob Crittenden wrote:
Stijn De Weirdt wrote:
hi alexander,

ity would be good anyway to have a script that checks all hosts that
have not enrolled yet how old the issued password is (even after
expiration). very useful to spot the state of ongoing deployments and
to spot problems. how can one obtain the creation time of the
password? fetch the timestamp from LDAP or is there a nice ipa API for
it?
Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
and krbLastPwdChange attributes.

ipa host-show host.name --all --raw

will give you their values.

# ipa host-show `hostname` --all --raw |grep krbLast
   krbLastPwdChange: 20140213123016Z
   krbLastSuccessfulAuth: 20140325073031Z


this does not seem to work on a host that has the random password set
(or set a few times), but no keytab was created or other form of
authentication:
ipa host-show test.test --all --raw |grep -E 'krb|has_'
  has_password: True
  has_keytab: False
  krbExtraData: AAI3mDRTcm9vdC9hZG1pbkB
  krbPrincipalName: host/test.test@TEST
  objectClass: krbprincipalaux
  objectClass: krbprincipal

(this is freeipa 3.3.3 on rhel7 beta)

Right, because it doesn't have Kerberos credentials yet, just a password. We apparently don't set any dates when setting only the host password. Which also means password policy probably wouldn't apply correctly even if you were able to set one. And I guess the question is, should we?

If so we'd need to always add the krbPrincipalAux objectclass and set this value in the password plugin.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

IMO we should not treat the OTP we set for the host enrollment as a kerberos password. I would rather record a time of the creation and validity period when the password is set in two new attributes. The validity period should be optional and if not provided copied from a system wide policy that can be set by default to say 10 min. When we do authentication with OTP we should check whether we are already beyond the point when the OTP is valid and fail enrollment. When we validate and clear OTP we do not need to change these two attributes, they contain valuable info that might be queried later.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to