Olivier wrote:
> My current policy is the following :
>
> - All my users must have a password in ldap (that is used by
> applications other than ssh)
>
> - not all my users may have an ssh key (some never use ssh)
>
> Everything works as I want.
I realize that with my tuning ssh behave as such:
* if the user has no key in ldap then ssh ask for a login password
* if the user has a correct key in ldap then ssh grant access and
don't ask for any login/password
* if the user has an incorrect key in ldap then ssh swithch to the
login/password authentication process.
That means that if a bad sshkey is returned by
"sss_ssh_authorizedkeys", then ppolicy will be checked and
updated if necessary through the "login / password" process.
May be that could help : with a given flag "sss_ssh_authorizedkeys"
could simply refuse to return the key in case of a "ppolicy issue".
Note that password policy response controls can only be used when sssd
actually tries to verify the user's password with a LDAP (simple) bind
request. Obviously this won't work if you completely disabled passwort authc
in sshd_config.
sss_ssh_authorizedkeys could check whether the password is expired by looking
at attribute 'pwdChangedTime' (provided it's at least searchable for sssd) and
generate a filter with the correct expiration time similar like in [1].
Another approach would be to configure the LDAP server to make user entry or
at least the SSH key attribute invisible with ACL/ACI and a status flag. With
this approach you can run a CRON job at the LDAP server setting the status
flag and you don't have to implement the solution on all clients.
Ciao, Michael.
[1]
http://ltb-project.org/wiki/documentation/ldap-scripts/checkldappwdexpira...