Gerhard Kremer via FreeIPA-users wrote:
Greetings all,
is it possible to force-logout a user? I was thinking of implementing a
continuously-running process that, when some conditions are met, e.g.
revokes a user's Kerberos TGT and effectively destroys their session(s).
Would this affect the credentials cache? If not, what is the best way of
removing those as well?
Process running where? The TGT will be valid through its issuance time.
There are ccache types you wouldn't be able to clear (MEMORY, for example)
Force logout a user from what? The WebUI? A ssh login?
What about a ssh login using ssh keys?
Failing that, I'd like to disable the account with ipa
user-disable --
does disabling immediately block an already-logged user?
No. It is only checked during authentication.
My aim is to immediately prevent users meeting certain conditions
from
carrying out any further actions. Any suggestions or caveats on the
best way to accomplish this would be appreciated.
I'm not aware of a way to do this.
rob