Olivier wrote:
My current policy is the following :
All my users must have a password in ldap (that is used by applications other than ssh)
not all my users may have an ssh key (some never use ssh)
Everything works as I want.
I realize that with my tuning ssh behave as such:
if the user has no key in ldap then ssh ask for a login password
if the user has a correct key in ldap then ssh grant access and don't ask for any login/password
if the user has an incorrect key in ldap then ssh swithch to the login/password authentication process.
That means that if a bad sshkey is returned by "sss_ssh_authorizedkeys", then ppolicy will be checked and updated if necessary through the "login / password" process.
May be that could help : with a given flag "sss_ssh_authorizedkeys" could simply refuse to return the key in case of a "ppolicy issue".
Note that password policy response controls can only be used when sssd actually tries to verify the user's password with a LDAP (simple) bind request. Obviously this won't work if you completely disabled passwort authc in sshd_config.
sss_ssh_authorizedkeys could check whether the password is expired by looking at attribute 'pwdChangedTime' (provided it's at least searchable for sssd) and generate a filter with the correct expiration time similar like in [1].
Another approach would be to configure the LDAP server to make user entry or at least the SSH key attribute invisible with ACL/ACI and a status flag. With this approach you can run a CRON job at the LDAP server setting the status flag and you don't have to implement the solution on all clients.
Ciao, Michael.
[1] http://ltb-project.org/wiki/documentation/ldap-scripts/checkldappwdexpiratio...