questions about "iinit --ttl" and the PAM temporary password lifetime

[Hurng-Chun LEE]

Hi,

We are using PAM to authenticate iRODS users.  In order to control the lifetime of the authenticated token for icommands, we are trying the "--ttl" option of the "iinit" command.

In the command-line help, it says:

"When using PAM, iinit always generates a temporary iRODS password

for use by the other iCommands, using a time-limit set by the

administrator (usually a few days).  With the --ttl option, you can

specify how long this derived password will be valid, within the

limits set by the administrator."

We are curious about the "time-limit set by the administrator"; however, we don't find where in our server's configuration (/etc/irods/server_config.json) the value is set.

The only thing looks relevant is "maximum_temporary_password_lifetime_in_seconds": 1000 ... but this cannot be the value it refers to as we can set the --ttl more than that (i.e. 1000 seconds). btw, with a trial-n-error approach, we found out the limitation is 336 hours (2 weeks).

On the other hand, we see some other relevant server parameters (but not set in our configuration file) from the document.  Those are:

- pam_no_extend (optional) - Set PAM password lifetime: 8 hours or 2 weeks, either true or false

- pam_password_length (optional) - Maximum length of a PAM password

- pam_password_max_time (optional) - Maximum allowed PAM password lifetime

- pam_password_min_time (optional) - Minimum allowed PAM password lifetime

My questions:

- are they the parameters we are looking for? If so, what is the purpose of setting "pam_no_extend" (or alternatively, what would be the expected behaviour of setting its value to "true" or "false")?

Thank you for the help.

Hong