On Fri, Feb 23, 2024 at 12:06 PM John Doe <jdoe53851(a)gmail.com> wrote:
Hello
I'm wondering if there's any way to access the informational message about
password expiration given upon login when using cached credentials? When
having pam_verbosity = 2 in sssd.conf, the following informational message
is given;
"Authenticated with cached credentials, your cached password will expire
at Sat Apr 20 15:41:18 2024"
Now I know I can calculate the time for expiration myself by checking the
'offline_credentials_expiration' value in sssd.conf and add that to the
timestamp for cache entry last update time reported by 'sudo sssctl
user-show $USER' but both of these require root access. I need to get the
expiration timestamp as a regular user.
The reason for this is that we do have a large number of external
developers who are all given laptops with the company Linux image applied,
having them log in using their Active Directory credentials. They do have
VPN access but the nature of the projects they're working on they seldom
need to be connected to our network :-(
I was thinking I could create a little script/application that notifies
them a few days ahead of password expiration to remind them to connect to
the VPN.
I was thinking of 'sss_cache' as that can run as a regular user but that
can't give me the timestamp :-(
Worst case, I can perhaps write somethinh in python, but that depends of
the availability of APIs and maybe that still will require root access.
Hi,
cache files (content of `/var/lib/sss/db/`) are typically owned either by
root:root or by sssd:sssd and aren't readable by others.
So it doesn't matter if it's a 3rd party script or an existing tool
(sssctl, sss_cache) - it will require privileges anyway (you can set
CAP_DAC_READ file capability on your executable, if you don't want to run
it under "full" root).