Make PAM auth TTL customisable

[sellth]

As I understand the current implementation, time-to-live for PAM auth tokens is hardcoded to 60. As we require longer lasting sessions for our use cases, it would be great if users could set TTL to a custom value within the constraints of the server's pam_password_max_time setting. The iinit command already implements this via the --ttl flag (https://docs.irods.org/4.3.1/icommands/user/#iinit).

For reference:

python-irodsclient/irods/connection.py

Lines 438 to 448 in 96d2cd2

	def _login_pam(self):
	time_to_live_in_seconds = 60
	pam_password = PAM_PW_ESC_PATTERN.sub(lambda m: '\\'+m.group(1), self.account.password)
	ctx_user = '%s=%s' % (AUTH_USER_KEY, self.account.client_user)
	ctx_pwd = '%s=%s' % (AUTH_PWD_KEY, pam_password)
	ctx_ttl = '%s=%s' % (AUTH_TTL_KEY, str(time_to_live_in_seconds))
	ctx = ";".join([ctx_user, ctx_pwd, ctx_ttl])

On a side note, I'm pretty sure that the default value of 60 is actually in hours and not seconds. So the variable is named wrongly in the code snippet above.

Reference of the server-side code: https://github.com/irods/irods/blob/aff93a3fbe417c8ec2e9d834b5eb2d6b2ae31083/lib/core/src/clientLogin.cpp#L237-L239

[d-w-moore]

I am not at all sure why the above code sends an AUTH_TTL_KEY value. _login_pam is the function executed at the time of login, rather than the setting of such parameters as time-to-live as is done by iinit. In fact, the python-irodsclient does not innately contain any code that is the equivalent of iinit's function.
On a little different subject - since @sellth mentions iRODS 4.3.1 in the issue description - I'd like acknowledge another ongoing issue: the need to teach the client to go through the new (4.3.0+) auth-framework's pam_password implementation rather than going through the legacy auth.

[sellth]

I am not at all sure why the above code sends an AUTH_TTL_KEY value. _login_pam is the function executed at the time of login, rather than the setting of such parameters as time-to-live as is done by iinit. In fact, the python-irodsclient does not innately contain any code that is the equivalent of iinit's function.

It should define the TTL of pam_pw_negotiated which when saved "obfuscated" in the right place does provide iinit functionality.

python-irodsclient/irods/session.py

Lines 316 to 323 in 96d2cd2

	@property
	def pam_pw_negotiated(self):
	self.pool.account.store_pw = []
	conn = self.pool.get_connection()
	pw = getattr(self.pool.account,'store_pw',[])
	delattr( self.pool.account, 'store_pw')
	conn.release()
	return pw

[d-w-moore]

Ah, ok. I see it now. Thanks @sellth !

[alanking]

@d-w-moore - Please close if complete.