holtgrewe
commented
1 month ago Is this login timeout with irods icommands? IIRC, this is goverend by PAM.
Closed mikkonie closed 2 weeks ago
holtgrewe
commented
1 month ago Is this login timeout with irods icommands? IIRC, this is goverend by PAM.
mikkonie
commented
1 month ago There are infact two settings for maximum login length. There is a separate one for PAM, yes. For some reason, one of these was set very short in my iRODS 4.3 unattended config template.
mikkonie
commented
1 month ago These settings have changed in 4.3.1+, see here.
Max password time has to now be set with iadmin set_grid_configuration authentication password_max_time xxx
..however, the setting is set to the correct default value on the server. This can be verified with iadmin get_grid_configuration authentication password_max_time.
Supplying --ttl in iinit provides the expected TTL, but without that option supplied the password expires in 2 minutes. This makes iCommands unusable without supplying a custom TTL. So something has definitely changed somewhere. Changing default_temporary_password_lifetime_in_seconds in the server config doesn't help.
mikkonie
commented
2 weeks ago iRODS support to the rescue: this is an undocumented feature in v4.3.1+, where one is supposed to use password_min_time in addition to password_max_time. They have now added a ticket for documenting this :)
It has to be set with iadmin set_grid_configuration authentication password_min_time 1209600. I'll double-check to make sure there isn't a way to do it in unattended_config.json. (Update: I asked iRODS support and it can't, at least for now)
mikkonie
commented
2 weeks ago Done.
After upgrading the image, the default login timeout seems to be VERY short. This should be altered. Not 100% sure if this should go here or sodar-docker-compose, will move if needed.
Edit: Instead of simply increasing the default maximum values, we should make them configurable by env vars.