Am Thu, Jun 02, 2022 at 02:22:54PM -0400 schrieb Rob Crittenden via FreeIPA-users:
Jim Kinney via FreeIPA-users wrote:
> It seems if valid ssh keys exist, the expired account status doesn't
> block login with ssh keys. Any operation that touches a password is
> Is there a pam setting in sshd that needs tweaking to deny access if
> account is expired?
You may want to cross post this on sssd-users.
in general SSSD can handle this case with 'access_provider = ldap' and
pwd_expire_policy_reject, pwd_expire_policy_warn or
pwd_expire_policy_renew in 'ldap_access_order', see man sssd-ldap for
Unfortunately this removes the HBAC features of 'access_provider = ipa'.
We are currently working on making the ldap features available in ipa as
well, see https://github.com/SSSD/sssd/issues/5080
and the related
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure