Hi all,

We have noticed some behaviour that we are trying to work out if it is expected or not (or if this is an SSSD thing).   We have a pair of FreeIPA replicas running on CentOS 7 (v4.5.x), with various CentOS 7 clients.   Most clients aren't actually enrolled in FreeIPA, but are configured with:

Authentication works as expected, plus password changes etc.   However, if a user has added a public key to authorized_keys, the status of the password is not considered and at no point is a user prompted to change their password.   More importantly, if a user is disabled in FreeIPA, they are still permitted to login using their SSH key.

I have checked the behaviour on a client that is enrolled, and it is better (disabling a user does prevent access), but it still does not give any indication about failed passwords.

Under most circumstances this wouldn't be too much of an issue, but we make use of one application for remote access that does not know what to do with an expired password, and instead just presents 'authentication failed'.

Any suggestions?