-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TTL issue for pam_password with v2.0.0 #536
Comments
What version of the PRC are you using? |
|
Oh right, the PRC version is in the title. Anyway, have you adjusted your PAM TTL settings according to the following section? If yes, can you share what you have for each option? |
these are:
|
The real issue here is that in the v1 client the default password lifetime is 60 hours In v2 the default is that the server should decide on the lifetime python-irodsclient/irods/connection.py Lines 461 to 462 in ed2e73c
apparently without possibility for the client to overwrite it and ask another value. And the default lifetime of the server is the minimal one, 121 seconds. |
Everything is more configurable with 'seconds', so that was the new standard - so I think that part is expected/desired. |
you're sure it was being treated as 'hours' in 1.1.9? that seems... surprising. |
One thing that sticks out is the message at the end of stacktrace(?).
That is generated here: python-irodsclient/irods/connection.py Lines 475 to 477 in 1d8433e
Seems you may want to review this section. There are several PAM related option described there and they are referenced in the code leading to that exception. |
See the following for the full function impl. Notice the lines starting from line 470. python-irodsclient/irods/connection.py Lines 457 to 480 in 1d8433e
|
https://github.com/irods/irods/blob/main/plugins/database/src/db_plugin.cpp#L7102 The number passed over the wire is multiplied by 3600, so it always has been hours. So this is the regression for the python client: by default v1 attempted to generate a native password with validity of 60 hours, and v2 takes the shorter 121 seconds from server side. |
Actually correct code snippet is https://github.com/irods/irods/blob/main/plugins/database/src/db_plugin.cpp#L7241-L7252 |
I think adding a settings file will allow you to make progress. The option you want to set in that file appears to be |
You may also need |
Note this line too, showing that eventually |
I am closing this - because we decided to use the native scheme. And apparently we are touching on an issue that existed in older versions. |
Hi, we have an iinit snippet (iinit.exe too) that is used by our windows users to setup the necessary files to authenticate against irods. It writes the irods environment file and the .irodsA file. So that the obfuscated password file helps users grant access for 60 hours. Basically it mimics
iinit
of iCommands. Before the v2.0.0 all was working normal. However it seems with the v2.0.0 there is something broken in the flow. I explain it below.iinit snippet to be executed in an interactive shell/interpreter:
any script that contains session connection to be executed:
If the script that contains a session connection is executed immediately just after the iinit script, the flows work normal. But if it is executed later (my impression is 120 sec), we are getting the error here:
Confused with this. Btw, we don't use the native authentication in our flow.
Could you look into this issue? Meanwhile, please let us know if there is any workaround or if we are doing something missing. We tried several thing but didn't work. Thanks.
The text was updated successfully, but these errors were encountered: