metalnx-web icon indicating copy to clipboard operation
metalnx-web copied to clipboard

Published 20 hours ago verified publisher icon irods-contrib

Possible issue with password_min_time in iRODS 4.3.1

Open kalylian opened this issue 10 months ago • 5 comments

Hi,

I'm using iRODS version 4.3.1 with metalnx latest (should be 2.6.1), both pretty new installed. I authenticate my users via PAM and LDAP.

After two minutes of being logged in, my regular users get the error "An unexpected error has happened. Please, contact your system administrator." when accessing Collections, Public or Trash. They were still logged into Metalnx but were locked out of iRODS. It doesn't happen with my admin account.

I've got this in the iRODS-log: {"log_category":"api","log_level":"info","log_message":"rsAuthCheck: chlCheckAuth status = -827000","request_api_name":"AUTH_RESPONSE_AN","request_api_number":704,"request_api_version":"d","request_client_user":"$USERNAME","request_host":"$SOME_IP","request_proxy_user":"$USERNAME","request_release_version":"rods3.2","server_host":"$PROVIDER","server_pid":2170453,"server_timestamp":"2024-04-23T09:10:33.331Z","server_type":"agent","server_zone":"$ZONE"}

The first thing that I thought of that could match with the two minute time range was password_min_time (https://docs.irods.org/4.3.1/system_overview/configuration/#configuring-authentication-in-r_grid_configuration), and I think there was some tweaking with that in 4.3, so I gave it a shot:

iadmin set_grid_configuration authentication password_min_time 60

And now it happens every minute. So this setting seems to be the issue.

I've set it to an hour, which should be reasonably long enough for my users, but it feels unelegant. Is there a Metalnx setting I should use instead?

Kind regards

Kaly

kalylian avatar Apr 23 '24 13:04 kalylian

No, you're looking at the correct options.

What makes you feel the adjustment for the zone is unelegant?

korydraughn avatar Apr 23 '24 13:04 korydraughn

If Metalnx or Jargon have some way of passing a value for the Time To Live (TTL) for the PAM authentication calls, that would be the preferred approach, I think. But I don't know enough about Metalnx to know whether that is exposed anywhere.

alanking avatar Apr 23 '24 13:04 alanking

I believe that would be a new metalnx option/property.

trel avatar Apr 23 '24 13:04 trel

Hi and thanks for the quick answers.

What makes you feel the adjustment for the zone is unelegant?

I think it feels unelegant for me for three reasons.

  1. No matter how high I set password_min_time, there's always a chance a user exceeds it and is suddenly in a weird state. Doing an automated logout after password_min_time seconds might improve that but I don't think I have a Metalnx-option for that, either.
  2. I now have to adapt iRODS to work with Metalnx, instead of making Metalnx work with iRODS. This is the first time I've encountered this (might be due to me not being very experienced with Metalnx though).
  3. To my understanding, password_min_time is the minimum time to life for a generated password and anything below that will not be allowed. A high password_min_time might be unexpected behaviour for other systems or users accessing iRODS.

It works for now. I'd prefer a metalnx option for that though.

Kind regards,

Kaly

kalylian avatar Apr 23 '24 14:04 kalylian

Thanks for the feedback. We'll investigate the addition of dedicated options within Metalnx.

korydraughn avatar Apr 23 '24 15:04 korydraughn