It should be possible to configure the minimum and maximum lifetime of a host password. The use case is to support a shortlived OTP to be used for kickstart installation (the OTP is the random password).
The maximum lifetime should be configurable in seconds (or the current methods of hours./days should accept floats). We are looking for a maximum of approx 20 minutes.
IMO if we go this route it should be possible to define a lifetime. I do not quite understand what minimal lifetime means in this situation. You can't use password before this time? The password is either valid for authentication at a given moment or not so min lifetime does not seem to make much sense.
the minimum should be changeable since afaik, the default is 1 hour. minimum could be seen as an offset, but just setting the lifetime (ie minimum=0, maximum=lifetime) is more than sufficient.
Minimum is the least amount of time for the password to exist before being changed.
Replying to [comment:3 rcritten]:
It is a one time password by definition so change password operation does not make sense.Once the password expired you should not be able to enrol the host until you set a different password. So it is more an enrolment timeout.
I also think that may be what we should do in future is instead of setting a password for the host we should automatically assign it a TOTP token with a given interval. May be using tokens for it is an overhead but at least we can reuse some of that machinery.
The FreeIPA 4.2 was already shaped (see [[milestone:FreeIPA 4.2]] milestone), this does not fit. Pushing out.
If anyone is willing to help and contribute to this one, please let us know!
Metadata Update from @stdweird: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.