ttl settings on 4.3.1

[joris luijsterburg]

Hey all,

I have been tinkering a bit with 4.3.1. Upgrading from 4.3.0 was a piece of cake!

I have installed this on two zones, and in one of the two zones I see weird behaviour on the time to live. I noticed that I get authentication errors very quickly there. I do an iinit, I perform some commands, and then after a couple commands the next one doesn't work. When digging in I found out that in 4.3.1 some settings for PAM password expiry have been put into the database instead of the server_config.json.  In my case I didn't use these settings before, so the database has the default settings("password_min_time"="121")

And indeed, I ran a script performing ils every second after iinit, and I noticed that after around 121 seconds the ils failed. Thus, my password only lives for two minutes.  If I retry with iinit --ttl 1, it does live longer indeed. The workaround is thus raising the minimum TTL via iadmin set_grid_configuration

But, the question is: what should the value of the ttl be when you do not enter it manally in iinit?

[Terrell Russell]

Hi Joris,

I believe the defaults are documented here...

    https://docs.irods.org/4.3.1/system_overview/configuration/#authentication-configuration

I'm confused by the differing behavior on two different zones.

Terrell

--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org
 
iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/37b25307-6d8b-41ed-afa3-169bc4f9599dn%40googlegroups.com.

[Alan King]

Hi,

I guess this failed to make it into the documentation so I'll write it here...

iinit has always used an implied Time-To-Live for PAM/pam_password authentication. In the past, this default value was determined by something called appropriately named irods_pam_password_default_time: https://github.com/irods/irods/blob/f6eb6c72786288878706e2562a370b91b7d0802e/plugins/database/src/db_plugin.cpp#L7264-L7267 This value was configurable only via pam_no_extend. The value was 1209600 (2 weeks) if pam_no_extend was false, or 28800 (8 hours) if pam_no_extend was true.

In 4.3.1, this behavior was modified to increase security and simplify configuration a little bit. If no TTL is provided for pam_password authentication, the default TTL is the configured password_min_time. You can see this being done here in the code: https://github.com/irods/irods/blob/97eb33f130349db5e01a4b85e89dd1da81460345/plugins/database/src/db_plugin.cpp#L7241-L7244 If you change the configured password_min_time in R_GRID_CONFIGURATION to something bigger to increase the default TTL for pam_password authentication. Providing a TTL value via iinit --ttl will continue to behave as expected.

So, the thing that has changed is the default TTL, which now uses the configured minimum time rather than the irods_pam_password_default_time.

I've created an issue to shore up this section of the documentation a bit more: https://github.com/irods/irods_docs/issues/234

Hope that helps.

To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/CAFaqteZLR_rKwUcR--yDvK9taaxxhxOZ%2Bzz%3DTkPb167LPSo_Wg%40mail.gmail.com.

--

Alan King

Senior Software Developer | iRODS Consortium

[joris luijsterburg]

Okay thanks, that does clear it up indeed!

Knowing which one is the standard behaviour, I checked the environment where this was not happening and found out I was using an irods native user there and forgot about it, so that is cleared up as well. After changing that to my regular PAM user, the password was invalid after two minutes like in the other environment.-->  Both work as designed.

Kind regards,

Joris