[SSSD-users] Re: sshkey use allows expired account user to access system
Am Thu, Jun 02, 2022 at 05:17:12PM -0400 schrieb Jim Kinney: > I have set krbPrincipalExpiration but it's not referenced as far as I can > tell. That setting will block use of a password which is why I was thinking a > pam setting change for sshd would pull it in. But password in pam uses the > same pam functions as sshd. Is there a sssd.conf setting to also be consulted > with sshd? Hi, in general SSSD can handle this case with 'access_provider = ldap' and pwd_expire_policy_reject, pwd_expire_policy_warn or pwd_expire_policy_renew in 'ldap_access_order', see man sssd-ldap for details. Unfortunately this removes the HBAC features of 'access_provider = ipa'. We are currently working on making the ldap features available in ipa as well, see https://github.com/SSSD/sssd/issues/5080 and the related pull-request. HTH bye, Sumit > > On June 2, 2022 4:54:11 PM EDT, Gordon Messmer > wrote: > >On 6/2/22 13:36, Jim Kinney wrote: > >> It seems if valid ssh keys exist, the expired account status doesn't > >> block login with ssh keys. > > > > > >I believe that's because *users* don't expire. *Passwords* do. If you > >aren't authenticating with passwords, then password expiration doesn't > >affect the account. > > > >This is one of the reasons that users should consider using Kerberos, > >or > >SSH certificate systems, rather than SSH keys. > > > >https://smallstep.com/blog/use-ssh-certificates/ > >___ > >sssd-users mailing list -- sssd-users@lists.fedorahosted.org > >To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > >Fedora Code of Conduct: > >https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > >https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > >Do not reply to spam on the list, report it: > >https://pagure.io/fedora-infrastructure > > -- > Computers amplify human error > Super computers are really cool > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD-users] Re: sshkey use allows expired account user to access system
I have set krbPrincipalExpiration but it's not referenced as far as I can tell. That setting will block use of a password which is why I was thinking a pam setting change for sshd would pull it in. But password in pam uses the same pam functions as sshd. Is there a sssd.conf setting to also be consulted with sshd? On June 2, 2022 4:54:11 PM EDT, Gordon Messmer wrote: >On 6/2/22 13:36, Jim Kinney wrote: >> It seems if valid ssh keys exist, the expired account status doesn't >> block login with ssh keys. > > >I believe that's because *users* don't expire. *Passwords* do. If you >aren't authenticating with passwords, then password expiration doesn't >affect the account. > >This is one of the reasons that users should consider using Kerberos, >or >SSH certificate systems, rather than SSH keys. > >https://smallstep.com/blog/use-ssh-certificates/ >___ >sssd-users mailing list -- sssd-users@lists.fedorahosted.org >To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >Fedora Code of Conduct: >https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: >https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >Do not reply to spam on the list, report it: >https://pagure.io/fedora-infrastructure -- Computers amplify human error Super computers are really cool___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD-users] Re: sshkey use allows expired account user to access system
On 6/2/22 13:36, Jim Kinney wrote: It seems if valid ssh keys exist, the expired account status doesn't block login with ssh keys. I believe that's because *users* don't expire. *Passwords* do. If you aren't authenticating with passwords, then password expiration doesn't affect the account. This is one of the reasons that users should consider using Kerberos, or SSH certificate systems, rather than SSH keys. https://smallstep.com/blog/use-ssh-certificates/ ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure