I have set krbPrincipalExpiration but it's not referenced as far as I can tell. That setting will block use of a password which is why I was thinking a pam setting change for sshd would pull it in. But password in pam uses the same pam functions as sshd. Is there a sssd.conf setting to also be consulted with sshd?

On June 2, 2022 4:54:11 PM EDT, Gordon Messmer <gordon.messmer@gmail.com> wrote:
On 6/2/22 13:36, Jim Kinney wrote:
It seems if valid ssh keys exist, the expired account status doesn't
block login with ssh keys.


I believe that's because *users* don't expire.  *Passwords* do. If you 
aren't authenticating with passwords, then password expiration doesn't 
affect the account.

This is one of the reasons that users should consider using Kerberos, or 
SSH certificate systems, rather than SSH keys.

https://smallstep.com/blog/use-ssh-certificates/
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Computers amplify human error
Super computers are really cool