[12:16:10] <cdanis>	 jbond42: thanks for sharing, nice writeup :)
[12:17:16] <jbond42>	 thanks :)
[12:52:17] <apergos>	 oh puppet.
[12:52:22] <apergos>	 why do you do us wrong like that
[12:52:29] * apergos is reading the pki writeup
[12:56:41] <elukey>	 cdanis: o/ - did you need me for kerberos yesterday?
[12:57:29] <cdanis>	 elukey: ah just was wondering if the temporary passwords sent by your manage_principals script had any expiry
[12:57:34] <cdanis>	 but it looks like not?
[12:57:53] <elukey>	 they do, I think we put something like 1s
[12:58:06] <cdanis>	 1s from first use?
[12:58:07] <elukey>	 so the user needs to change the pass when doing kinit
[12:58:49] <elukey>	 no the pass is basically expired right after it is issued, so the user if forced to change it via kinit upon first login
[12:58:55] <cdanis>	 oh okay
[12:58:59] <cdanis>	 got it
[12:59:15] <cdanis>	 expired but still works :)
[12:59:37] <elukey>	 yes yes sorry, basically kinit asks for it before allowing you to input the new one
[12:59:40] <elukey>	 :)
[13:03:56] <moritzm>	 the temp passwords set a kerberos flags (+needschange or so) which immediately forces to pick the actual one, you can't use the temp password for anything else than logging into the password change procedure
[13:05:01] <cdanis>	 yeah I was worried from the phrasing of some of the description that it required the user to handle the password change synchronously
[13:05:16] <cdanis>	 but, very glad to be mistaken