Hi all,
We have noticed some behaviour that we are trying to work out if it is
expected or not (or if this is an SSSD thing). We have a pair of FreeIPA
replicas running on CentOS 7 (v4.5.x), with various CentOS 7 clients.
Most clients aren't actually enrolled in FreeIPA, but are configured with:
id_provider = ldap
auth_provider = krb5
Authentication works as expected, plus password changes etc. However, if
a user has added a public key to authorized_keys, the status of the
password is not considered and at no point is a user prompted to change
their password. More importantly, if a user is disabled in FreeIPA, they
are still permitted to login using their SSH key.
I have checked the behaviour on a client that is enrolled, and it is better
(disabling a user does prevent access), but it still does not give any
indication about failed passwords.
Under most circumstances this wouldn't be too much of an issue, but we make
use of one application for remote access that does not know what to do with
an expired password, and instead just presents 'authentication failed'.
Any suggestions?