Am Thu, Jun 02, 2022 at 05:17:12PM -0400 schrieb Jim Kinney:
I have set krbPrincipalExpiration but it's not referenced as far
as I can tell. That setting will block use of a password which is why I was thinking a pam
setting change for sshd would pull it in. But password in pam uses the same pam functions
as sshd. Is there a sssd.conf setting to also be consulted with sshd?
Hi,
in general SSSD can handle this case with 'access_provider = ldap' and
pwd_expire_policy_reject, pwd_expire_policy_warn or
pwd_expire_policy_renew in 'ldap_access_order', see man sssd-ldap for
details.
Unfortunately this removes the HBAC features of 'access_provider = ipa'.
We are currently working on making the ldap features available in ipa as
well, see
https://github.com/SSSD/sssd/issues/5080 and the related
pull-request.
HTH
bye,
Sumit
On June 2, 2022 4:54:11 PM EDT, Gordon Messmer <gordon.messmer(a)gmail.com> wrote:
>On 6/2/22 13:36, Jim Kinney wrote:
>> It seems if valid ssh keys exist, the expired account status doesn't
>> block login with ssh keys.
>
>
>I believe that's because *users* don't expire. *Passwords* do. If you
>aren't authenticating with passwords, then password expiration doesn't
>affect the account.
>
>This is one of the reasons that users should consider using Kerberos,
>or
>SSH certificate systems, rather than SSH keys.
>
>https://smallstep.com/blog/use-ssh-certificates/
>_______________________________________________
>sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>Fedora Code of Conduct:
>https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives:
>https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
>Do not reply to spam on the list, report it:
>https://pagure.io/fedora-infrastructure
--
Computers amplify human error
Super computers are really cool
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure