[Freeipa-users] Re: SSH Key auth with expired Kerberos password

Hi all, We have noticed some behaviour that we are trying to work out if it is expected or not (or if this is an SSSD thing).   We have a pair of FreeIPA replicas running on CentOS 7 (v4.5.x), with various CentOS 7 clients.   Most clients aren't actually enrolled in FreeIPA, but are configured with: id_provider = ldap auth_provider = krb5 Authentication works as expected, plus password changes etc.   However, if a user has added a public key to authorized_keys, the status of the password is not considered and at no point is a user prompted to change their password.   More importantly, if a user is disabled in FreeIPA, they are still permitted to login using their SSH key. I have checked the behaviour on a client that is enrolled, and it is better (disabling a user does prevent access), but it still does not give any indication about failed passwords. Under most circumstances this wouldn't be too much of an issue, but we make use of one application for remote access that does not know what to do with an expired password, and instead just presents 'authentication failed'. Any suggestions? _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahoste d.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelin es List Archives: https://lists.fedorahosted.org/archives/list/freeipa-u sers(a)lists.fedorahosted.org