Password lifetime irods
131 views
Skip to first unread message
Sanju Timsina
Apr 7, 2022, 9:34:36 AM4/7/22
to iRODS-Chat
Hello,
There are these variable in irods server_config.json file for password lifetime. Which variable should I change to make the password valid for particular time. Is the password_max_time value is in seconds too?
"default_temporary_password_lifetime_in_seconds"
"maximum_temporary_password_lifetime_in_seconds"
"password_max_time"
Also, which rule do I need to look into to check if the user is authenticated ?
Thank you,
Sanju
Alan King
Apr 8, 2022, 10:54:57 AM4/8/22
to irod...@googlegroups.com
Hi,
I think you want a combination of two of the server configurations you mentioned:
default_temporary_password_lifetime_in_seconds
- This will set the default "Time to Live" (TTL) for the temporary passwords should one not be provided by the client.
maximum_temporary_password_lifetime_in_seconds
- This caps the value that a client can pass from a client for the TTL of a temporary password.
Here's where these configuration options are documented:
https://docs.irods.org/4.2.11/system_overview/configuration/
Please note that these variables only apply to *temporary passwords*. Here is some more explanatory text on this topic from `iinit -h --ttl`:
When using regular iRODS passwords you can use --ttl (Time To Live)
to request a credential (a temporary password) that will be valid
for only the number of hours you specify (up to a limit set by the
administrator). This is more secure, as this temporary password
(not your permanent one) will be stored in the obfuscated
credential file (.irodsA) for use by the other iCommands.
When using PAM, iinit always generates a temporary iRODS password
for use by the other iCommands, using a time-limit set by the
administrator (usually a few days). With the --ttl option, you can
specify how long this derived password will be valid, within the
limits set by the administrator.
to request a credential (a temporary password) that will be valid
for only the number of hours you specify (up to a limit set by the
administrator). This is more secure, as this temporary password
(not your permanent one) will be stored in the obfuscated
credential file (.irodsA) for use by the other iCommands.
When using PAM, iinit always generates a temporary iRODS password
for use by the other iCommands, using a time-limit set by the
administrator (usually a few days). With the --ttl option, you can
specify how long this derived password will be valid, within the
limits set by the administrator.
If you are not using the iCommands, this is implemented by calling rcGetLimitedPassword with an optionally provided TTL value.
Finally, I'm guessing when you say "password_max_time" you mean "pam_password_max_time", and that is a configuration applicable only to the PAM authentication plugin. It is measured in seconds.
Hopefully that helps!
--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org
iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/10326bbd-9852-4735-b93a-c2a702ae4e03n%40googlegroups.com.
--
Alan King
Senior Software Developer | iRODS Consortium
Sanju Timsina
Apr 14, 2022, 8:22:21 PM4/14/22
to iRODS-Chat
Thank you, Alan! Didn't see your chat earlier.
I will test this.
Thank you,
Sanju
Sanju Timsina
Apr 26, 2022, 2:58:41 PM4/26/22
to iRODS-Chat
Hi Alan,
I set these different variables to 60 seconds to see the change. But it doesn't seem to be working. I am able to run the icommands even after the 60 seconds.
"default_temporary_password_lifetime_in_seconds"
"maximum_temporary_password_lifetime_in_seconds"
"pam_password_max_time"
Thank you,
Sanju
Alan King
Apr 26, 2022, 3:13:21 PM4/26/22
to irod...@googlegroups.com
Which authentication plugin are you using? I was assuming that you were using native authentication, but I guess if you're working with the pam_password_max_time, you might be using PAM.
Can you please share the specific iinit command(s) and server configuration values that you used? Note that the iinit --ttl option is measured in hours while the server configuration options are measured in seconds. If the temporary password issued indeed lives longer than the configured maximum time on the server, that is a problem.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/ca7713df-e0a4-4ec7-b3f6-312bf941bd06n%40googlegroups.com.
Sanju Timsina
Apr 29, 2022, 11:09:54 AM4/29/22
to iRODS-Chat
Hi Alan,
We are using PAM authentication. I had set it to expire for 6 months but it doesn't work.
These are the configuration I was using earlier. I hadn't set anything on iinit --ttl options.
"default_temporary_password_lifetime_in_seconds": 120,
"maximum_temporary_password_lifetime_in_seconds": 1000,
"plugin_configuration": {
"authentication": {
"pam" : {
"password_max_time": 15770000
}
},
Thank you,
Sanju
Alan King
May 2, 2022, 10:12:25 AM5/2/22
to irod...@googlegroups.com
Oh, I see. To be honest, I hadn't realized that was how one should configure the
password_max_time for PAM as it wasn't obvious to me from the docs, but this seems right. Apologies for that.
I am going to try testing this myself and write back with my findings as soon as I can. Code inspection is not revealing anything to me. I've been working on the authentication plugins for 4.3.0 so this will be relevant to my current work anyway.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/da1000dd-517a-49b2-91a9-6728b633ebb9n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages