hi all,

IMO we should not treat the OTP we set for the host enrollment as a
kerberos password.
I would rather record a time of the creation and validity period when
the password is set in two new attributes. The validity period should be
optional and if not provided copied from a system wide policy that can
be set by default to say 10 min. When we do authentication with OTP we
should check whether we are already beyond the point when the OTP is
valid and fail enrollment.  When we validate and clear OTP we do not
need to change these two attributes, they contain valuable info that
might be queried later.

i like this idea. full host password policy is probably overkill for an OTP that only makes sense once in the lifetime of the host (OTP here means not only is the password itself only valid once; the whole password authentication is only valid/usable once).

btw, is it easy (as in API exists) to add new (site specific) attributes for a host? if so, i can already toy around with it for now. (storing the creation time in it and some cron job might suffice for now)


Freeipa-users mailing list

Reply via email to