Am Thu, Jun 02, 2022 at 05:17:12PM -0400 schrieb Jim Kinney:
I have set krbPrincipalExpiration but it's not referenced as far
as I can tell. That setting will block use of a password which is why I was thinking a pam
setting change for sshd would pull it in. But password in pam uses the same pam functions
as sshd. Is there a sssd.conf setting to also be consulted with sshd?
in general SSSD can handle this case with 'access_provider = ldap' and
pwd_expire_policy_reject, pwd_expire_policy_warn or
pwd_expire_policy_renew in 'ldap_access_order', see man sssd-ldap for
Unfortunately this removes the HBAC features of 'access_provider = ipa'.
We are currently working on making the ldap features available in ipa as
well, see https://github.com/SSSD/sssd/issues/5080
and the related
On June 2, 2022 4:54:11 PM EDT, Gordon Messmer <gordon.messmer(a)gmail.com> wrote:
>On 6/2/22 13:36, Jim Kinney wrote:
>> It seems if valid ssh keys exist, the expired account status doesn't
>> block login with ssh keys.
>I believe that's because *users* don't expire. *Passwords* do. If you
>aren't authenticating with passwords, then password expiration doesn't
>affect the account.
>This is one of the reasons that users should consider using Kerberos,
>SSH certificate systems, rather than SSH keys.
>sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct:
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>Do not reply to spam on the list, report it:
Computers amplify human error
Super computers are really cool
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure