Thanks Michael,

> Note that password policy response controls can only be used when sssd actually tries to verify the user's password with a LDAP (simple)
> bind request. Obviously this won't work if you completely disabled passwort authc in sshd_config.

that is my fear. Since it sounds to me that sshd bypass the user password verification when authenticate over ssh key,
I'm curious to see if those options will be relevant in my case. I'll let you know.

Best

---
Olivier



2015-04-15 14:07 GMT+02:00 Michael Ströder <michael@stroeder.com>:
Olivier wrote:
My current policy is the following :

- All my users must have a password in ldap (that is used by
  applications other than ssh)

- not all my users may have an ssh key (some never use ssh)

Everything works as I want.

I realize that with my tuning ssh behave as such:

* if the user has no key in ldap then ssh ask for a login password

* if the user has a correct key in ldap then ssh grant access and
    don't ask for any login/password

* if the user has an incorrect key in ldap then ssh swithch to the
    login/password authentication process.

That means that if a bad sshkey is returned by
"sss_ssh_authorizedkeys", then ppolicy will be checked and
updated if necessary through the "login / password" process.

May be that could help : with a given flag "sss_ssh_authorizedkeys"
could simply refuse to return the key in case of a "ppolicy issue".

Note that password policy response controls can only be used when sssd actually tries to verify the user's password with a LDAP (simple) bind request. Obviously this won't work if you completely disabled passwort authc in sshd_config.

sss_ssh_authorizedkeys could check whether the password is expired by looking at attribute 'pwdChangedTime' (provided it's at least searchable for sssd) and generate a filter with the correct expiration time similar like in [1].

Another approach would be to configure the LDAP server to make user entry or at least the SSH key attribute invisible with ACL/ACI and a status flag. With this approach you can run a CRON job at the LDAP server setting the status flag and you don't have to implement the solution on all clients.

Ciao, Michael.

[1] http://ltb-project.org/wiki/documentation/ldap-scripts/checkldappwdexpiration


_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users