Univention Bugzilla – Bug 56358
Automatic server password change: Disable it by default
Last modified: 2023-07-28 13:05:15 CEST
The machine password of each UCS system is rotated every 21 days (ucr get server/password/interval) This causes problems in some cases. We may want to disable it - by default. Add a new variable, server/password/rotation, and put it to false by default. Our tests enforce one server password change, so we should be safe to catch problems caused by systems that have it enabled.
We would need to document this variable and also state that features like ppolicy should be disabled in this case.
(In reply to Dirk Wiesenthal from comment #0) > This causes problems in some cases. We may want to disable it - by default. Please be more specific: in *which* cases exactly. > Add a new variable, server/password/rotation, and put it to false by default. base/univention-server/server_password_change:124ff 124 is_ucr_true server/password/change 125 if [ $? = 1 ]; then 126 »···echowithtimestamp "Server password change is disabled by the UCR variable server/password/change" >&3 127 »···exit 0 128 fi Disabling rotation by default is a anti-security feature: without a regular password change these /etc/machine.secret becomes an eternal security risk as it will be valid infinitely. We already have that issue with ldap.secret, see Bug #47455