My current policy is the following :
- All my users must have a password in ldap (that is used by
applications other than ssh)
- not all my users may have an ssh key (some never use ssh)
Everything works as I want.
I realize that with my tuning ssh behave as such:
* if the user has no key in ldap then ssh ask for a login password
* if the user has a correct key in ldap then ssh grant access and
don't ask for any login/password
* if the user has an incorrect key in ldap then ssh swithch to the
login/password authentication process.
That means that if a bad sshkey is returned by
"sss_ssh_authorizedkeys", then ppolicy will be checked and
updated if necessary through the "login / password" process.
May be that could help : with a given flag "sss_ssh_authorizedkeys"
could simply refuse to return the key in case of a "ppolicy issue".
Note that password policy response controls can only be used when sssd actually tries to verify the user's password with a LDAP (simple) bind request. Obviously this won't work if you completely disabled passwort authc in sshd_config.
sss_ssh_authorizedkeys could check whether the password is expired by looking at attribute 'pwdChangedTime' (provided it's at least searchable for sssd) and generate a filter with the correct expiration time similar like in .
Another approach would be to configure the LDAP server to make user entry or at least the SSH key attribute invisible with ACL/ACI and a status flag. With this approach you can run a CRON job at the LDAP server setting the status flag and you don't have to implement the solution on all clients.
sssd-users mailing list