Jim Kinney via FreeIPA-users wrote: It seems if valid ssh keys exist, the expired account status doesn't block login with ssh keys. Any operation that touches a password is blocking. Is there a pam setting in sshd that needs tweaking to deny access if account is expired?
You may want to cross post this on sssd-users.
rob
On 6/2/22 13:36, Jim Kinney wrote:
It seems if valid ssh keys exist, the expired account status doesn't block login with ssh keys.
I believe that's because *users* don't expire. *Passwords* do. If you aren't authenticating with passwords, then password expiration doesn't affect the account.
This is one of the reasons that users should consider using Kerberos, or SSH certificate systems, rather than SSH keys.
I have set krbPrincipalExpiration but it's not referenced as far as I can tell. That setting will block use of a password which is why I was thinking a pam setting change for sshd would pull it in. But password in pam uses the same pam functions as sshd. Is there a sssd.conf setting to also be consulted with sshd?
On June 2, 2022 4:54:11 PM EDT, Gordon Messmer gordon.messmer@gmail.com wrote:
On 6/2/22 13:36, Jim Kinney wrote:
It seems if valid ssh keys exist, the expired account status doesn't block login with ssh keys.
I believe that's because *users* don't expire. *Passwords* do. If you aren't authenticating with passwords, then password expiration doesn't affect the account.
This is one of the reasons that users should consider using Kerberos, or SSH certificate systems, rather than SSH keys.
https://smallstep.com/blog/use-ssh-certificates/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Am Thu, Jun 02, 2022 at 05:17:12PM -0400 schrieb Jim Kinney:
I have set krbPrincipalExpiration but it's not referenced as far as I can tell. That setting will block use of a password which is why I was thinking a pam setting change for sshd would pull it in. But password in pam uses the same pam functions as sshd. Is there a sssd.conf setting to also be consulted with sshd?
Hi,
in general SSSD can handle this case with 'access_provider = ldap' and pwd_expire_policy_reject, pwd_expire_policy_warn or pwd_expire_policy_renew in 'ldap_access_order', see man sssd-ldap for details.
Unfortunately this removes the HBAC features of 'access_provider = ipa'. We are currently working on making the ldap features available in ipa as well, see https://github.com/SSSD/sssd/issues/5080 and the related pull-request.
HTH
bye, Sumit
On June 2, 2022 4:54:11 PM EDT, Gordon Messmer gordon.messmer@gmail.com wrote:
On 6/2/22 13:36, Jim Kinney wrote:
It seems if valid ssh keys exist, the expired account status doesn't block login with ssh keys.
I believe that's because *users* don't expire. *Passwords* do. If you aren't authenticating with passwords, then password expiration doesn't affect the account.
This is one of the reasons that users should consider using Kerberos, or SSH certificate systems, rather than SSH keys.
https://smallstep.com/blog/use-ssh-certificates/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-- Computers amplify human error Super computers are really cool
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users@lists.fedorahosted.org