Hi Rob,
sorry for being vague. I intend to force-logout or otherwise disable the
account of a user, who is logged in either directly to a node (e.g. via
terminal login or SSH), or to an application running in one of the IPA
nodes.
The way I understand FreeIPA, valid users get a Kerberos TGT upon login
that gives them access to services in the infrastructure. I want those
users to be immediately logged out or otherwise blocked upon some
conditions being met.
SSH access would be carried out via GSSAPI, so as to integrate it with
Kerberos.
Yours,
GM
On Wed, Aug 11, 2021 at 9:56 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Gerhard Kremer via FreeIPA-users wrote:
> Greetings all,
>
> is it possible to force-logout a user? I was thinking of implementing a
> continuously-running process that, when some conditions are met, e.g.
> revokes a user's Kerberos TGT and effectively destroys their session(s).
> Would this affect the credentials cache? If not, what is the best way of
> removing those as well?
Process running where? The TGT will be valid through its issuance time.
There are ccache types you wouldn't be able to clear (MEMORY, for example)
Force logout a user from what? The WebUI? A ssh login?
What about a ssh login using ssh keys?
> Failing that, I'd like to disable the account with ipa user-disable --
> does disabling immediately block an already-logged user?
No. It is only checked during authentication.
> My aim is to immediately prevent users meeting certain conditions from
> carrying out any further actions. Any suggestions or caveats on the
> best way to accomplish this would be appreciated.
I'm not aware of a way to do this.
rob