It seems if valid ssh keys exist, the expired account status doesn't block login with ssh keys. Any operation that touches a password is blocking. Is there a pam setting in sshd that needs tweaking to deny access if account is expired?
Jim Kinney via FreeIPA-users wrote:
It seems if valid ssh keys exist, the expired account status doesn't block login with ssh keys. Any operation that touches a password is blocking. Is there a pam setting in sshd that needs tweaking to deny access if account is expired?
You may want to cross post this on sssd-users.
rob
Am Thu, Jun 02, 2022 at 02:22:54PM -0400 schrieb Rob Crittenden via FreeIPA-users:
Jim Kinney via FreeIPA-users wrote:
It seems if valid ssh keys exist, the expired account status doesn't block login with ssh keys. Any operation that touches a password is blocking. Is there a pam setting in sshd that needs tweaking to deny access if account is expired?
You may want to cross post this on sssd-users.
Hi,
in general SSSD can handle this case with 'access_provider = ldap' and pwd_expire_policy_reject, pwd_expire_policy_warn or pwd_expire_policy_renew in 'ldap_access_order', see man sssd-ldap for details.
Unfortunately this removes the HBAC features of 'access_provider = ipa'. We are currently working on making the ldap features available in ipa as well, see https://github.com/SSSD/sssd/issues/5080 and the related pull-request.
HTH
bye, Sumit
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
freeipa-users@lists.fedorahosted.org