Jakub Hrozek wrote:
On Wed, Apr 15, 2015 at 02:35:08PM +0200, Olivier wrote:
> Thanks Michael,
>
>> Note that password policy response controls can only be used when sssd
> actually tries to verify the user's password with a LDAP (simple)
>> bind request. Obviously this won't work if you completely disabled
> passwort authc in sshd_config.
>
> that is my fear. Since it sounds to me that sshd bypass the user password
> verification when authenticate over ssh key,
> I'm curious to see if those options will be relevant in my case. I'll let
> you know.
As Lukas said, SSSD also checks the password expiration during LDAP
access control.
I share Michael's sentiment about this being a bit of a misfeature,
since the password controls should only apply to password operations,
but many users requested this feature. It's not enabled by default btw.
Please don't get me wrong:
I don't regard this to be a mis-feature. Actually I disable SSH keys when
passwords are expired because it fits the expectation that people cannot login
anymore at all.
But I'd rather solve this problem at the LDAP server side.
Ciao, Michael.