Re: [SSSD-users] Password expiration with public-key authentication
On Tue, Nov 27, 2012 at 15:00:42 -0600, Stephen Gallagher wrote: > On Tue 27 Nov 2012 03:51:55 PM EST, Iain Morgan wrote: > > Hello, > > > > I recently began experimenting with sssd (1.8.0) and have run into an > > issue with its support for password expiration. Specifically, the case > > where sssd is configured to use LDAP and the user authenticates via SSH > > public-key. > > > > If a user connects via ssh to a host which is using sssd and > > authenticates via a public-key, the only way to enforce password > > expiration appears to be to set ldap_pwd_policy=shadow. However, sssd > > will not attempt to change the password when the policy is thus set. > > > > I know that there are those who would argue that password expiration > > should not be enforced when public-key authentication is used, but that > > is an organizational policy decision. The expectation for the environment > > which I deal with is that password expiration should be enforced, and > > work, regardless of the method used for authentication. > > > > Is there some trick that I have overlooked or is this simply a design > > limitation? If the shadow map were exposed, pam_unix.so could be used to > > detect password expiration and pam_sss.so (with ldap_pwd_policy=none) > > could be used to change the password, but that is not currently the > > case. > > > > Try setting: > > access_provider = ldap > ldap_access_order = expire > ldap_account_expire_policy = shadow > > That should do what you're looking for. It tells the SSSD to honor > shadow expiration/locking policy during the PAM_ACCT_MGMT phase. This > phase will occur regardless of what authentication mechanism you use. Hmm, I had overlooked ldap_account_expire_policy. Unfortunately, the settings recommended above do not appear to have altered the situation. I guess I need to spend some time looking at the debug output. Thanks, -- Iain Morgan ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] Password expiration with public-key authentication
On Tue 27 Nov 2012 03:51:55 PM EST, Iain Morgan wrote: Hello, I recently began experimenting with sssd (1.8.0) and have run into an issue with its support for password expiration. Specifically, the case where sssd is configured to use LDAP and the user authenticates via SSH public-key. If a user connects via ssh to a host which is using sssd and authenticates via a public-key, the only way to enforce password expiration appears to be to set ldap_pwd_policy=shadow. However, sssd will not attempt to change the password when the policy is thus set. I know that there are those who would argue that password expiration should not be enforced when public-key authentication is used, but that is an organizational policy decision. The expectation for the environment which I deal with is that password expiration should be enforced, and work, regardless of the method used for authentication. Is there some trick that I have overlooked or is this simply a design limitation? If the shadow map were exposed, pam_unix.so could be used to detect password expiration and pam_sss.so (with ldap_pwd_policy=none) could be used to change the password, but that is not currently the case. Try setting: access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = shadow That should do what you're looking for. It tells the SSSD to honor shadow expiration/locking policy during the PAM_ACCT_MGMT phase. This phase will occur regardless of what authentication mechanism you use. ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
[SSSD-users] Password expiration with public-key authentication
Hello, I recently began experimenting with sssd (1.8.0) and have run into an issue with its support for password expiration. Specifically, the case where sssd is configured to use LDAP and the user authenticates via SSH public-key. If a user connects via ssh to a host which is using sssd and authenticates via a public-key, the only way to enforce password expiration appears to be to set ldap_pwd_policy=shadow. However, sssd will not attempt to change the password when the policy is thus set. I know that there are those who would argue that password expiration should not be enforced when public-key authentication is used, but that is an organizational policy decision. The expectation for the environment which I deal with is that password expiration should be enforced, and work, regardless of the method used for authentication. Is there some trick that I have overlooked or is this simply a design limitation? If the shadow map were exposed, pam_unix.so could be used to detect password expiration and pam_sss.so (with ldap_pwd_policy=none) could be used to change the password, but that is not currently the case. Thanks, -- Iain Morgan ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users