PAM time out

Marc Hoeppner

unread,

Jul 3, 2024, 8:21:26 AM (4 days ago) Jul 3

to iRODS-Chat

Hi,

I feel like some previous posts do touch on this, but I am new to administrating iRODS and honestly "didn't quite get" how this works ;)

I have a basic iRODS setup - with a client that can access a combined ICAT/Resource server. PAM authentication is set up and works.

But authentication "holds" for maybe 30 seconds. I would like to keep an authenticated session alive for a little longer because it is frankly annoying to have to re-type the password every 30 seconds.

I am not 100% sure where this is controlled (Linux host, iRODS server?) - maybe someone could point me in the right direction?

Kind regards,

Marc

j.labrenz

unread,

Jul 3, 2024, 9:15:33 AM (4 days ago) Jul 3

to iRODS-Chat

Hi Marc,

have you already tested the advanced settings in the /etc/irods/server_config.json file?

"default_temporary_password_lifetime_in_seconds": 120
"maximum_temporary_password_lifetime_in_seconds": 1000,

Best regards

Johannes

joris luijsterburg

unread,

Jul 3, 2024, 10:33:34 AM (4 days ago) Jul 3

to iRODS-Chat

Hey Marc,

Note that in irods >= 4.3.1 this setting is in a different place:

iadmin get_grid_configuration authentication password_min_time

iadmin set_grid_configuration authentication password_min_time 120

iadmin get_grid_configuration authentication password_max_time

iadmin set_grid_configuration authentication password_max_time 1209600

Regards,

Joris

Alan King

unread,

Jul 3, 2024, 2:35:39 PM (4 days ago) Jul 3

to irod...@googlegroups.com

Hi Marc,

What Joris and Johannes have said is correct. Thanks to you both!

At the risk of being redundant, there is a description of the password Time To Live behavior here in the documentation: https://docs.irods.org/4.3.2/system_overview/configuration/#authentication-configuration

The default TTL for these "limited" passwords is the configured password_min_time, which has a default value of 121 seconds. If you use the --ttl option with iinit, you can specify a number of hours before the temporary password times out.

Hope that helps!

Alan

--
--
The Integrated Rule-Oriented Data System (iRODS) - https://irods.org

iROD-Chat: http://groups.google.com/group/iROD-Chat
---
You received this message because you are subscribed to the Google Groups "iRODS-Chat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to irod-chat+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/irod-chat/a51b8936-8c44-4a2b-b17d-73e5a2676752n%40googlegroups.com.

--

Alan King

Senior Software Developer | iRODS Consortium

Marc Hoeppner

unread,

Jul 4, 2024, 8:02:24 AM (3 days ago) Jul 4

to iRODS-Chat

Thanks! Yeah, I think that did it. I was a bit confused by the term "temporary password" - but after reading the documentation some more, it (sort of) makes sense.

J.P. Mc Farland

unread,

Jul 4, 2024, 10:03:52 AM (3 days ago) Jul 4

to iRODS-Chat

Hi,

I'm curious about the why here. We are battling the same issue and I just happen to see this. It seems counterintuitive to move such a fundamental server configuration _out_ of the server configuration file. I also think it is also a bit of a conflict that the default_temporary_password_lifetime_in_seconds and maximum_temporary_password_lifetime_in_seconds keys are still required in the server_config.json though they appear not to be honored in any way. Are there any write-ups of the why and what the plans for these kinds of future changes are? It is a bit difficult to admin when the settings keep moving around ;)