[Freeipa-users] Allow freeipa send password to user

[Alexander Bokovoy]

On Thu, 20 Feb 2014, Jan Pazdziora wrote:
>On Tue, Feb 18, 2014 at 04:44:30PM -0500, Dmitri Pal wrote:
>> On 02/17/2014 10:51 PM, barrykfl at gmail.com wrote:
>> >Is it possible to set allow password to send to user after user request.
>> >
>> >I used one of the self password service pwm but it seem it is not
>> >compatible to retriveal of password
>> >using cert request / Answer and questions retrieval
>>
>> Passwords can't be sent to the user. You can using administrative
>> account set a new password (i.e. do an admin reset) and send it to
>> the user but then user will be asked to change it on the first
>> authentication.
>
>Since I've heard the requirement for no password change forced on user
>upon their first login from multiple sides, I wonder if the current
>behaviour stems from some technical reason or if it's just a security
>approach which the FreeIPA admins should be able to override.
There is no such thing as 'just' when taking security seriously, sorry.

Any change of the password by someone other than the owner of it taints
the password. Administrator setting the password taints it because what
is known to more than one party cannot be considered secret anymore.

If certain organization policy needs to override this, a sequence like

$ kinit admin
$ echo "nimda$NEWPASSWORD" | ipa passwd user
$ echo -e "nimda$NEWPASSWORD\n$NEWPASSWORD\n$NEWPASSWORD" | kpasswd user

would set $NEWPASSWORD for the user. You can certainly script it but I'd
recommend think seriously how well this goes with data security regulations
an organization could be subject to.
-- 
/ Alexander Bokovoy