Am Thu, Jun 02, 2022 at 05:17:12PM -0400 schrieb Jim Kinney: > I have set krbPrincipalExpiration but it's not referenced as far as I can > tell. That setting will block use of a password which is why I was thinking a > pam setting change for sshd would pull it in. But password in pam uses the > same pam functions as sshd. Is there a sssd.conf setting to also be consulted > with sshd?
Hi, in general SSSD can handle this case with 'access_provider = ldap' and pwd_expire_policy_reject, pwd_expire_policy_warn or pwd_expire_policy_renew in 'ldap_access_order', see man sssd-ldap for details. Unfortunately this removes the HBAC features of 'access_provider = ipa'. We are currently working on making the ldap features available in ipa as well, see https://github.com/SSSD/sssd/issues/5080 and the related pull-request. HTH bye, Sumit > > On June 2, 2022 4:54:11 PM EDT, Gordon Messmer <gordon.mess...@gmail.com> > wrote: > >On 6/2/22 13:36, Jim Kinney wrote: > >> It seems if valid ssh keys exist, the expired account status doesn't > >> block login with ssh keys. > > > > > >I believe that's because *users* don't expire. *Passwords* do. If you > >aren't authenticating with passwords, then password expiration doesn't > >affect the account. > > > >This is one of the reasons that users should consider using Kerberos, > >or > >SSH certificate systems, rather than SSH keys. > > > >https://smallstep.com/blog/use-ssh-certificates/ > >_______________________________________________ > >sssd-users mailing list -- sssd-users@lists.fedorahosted.org > >To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > >Fedora Code of Conduct: > >https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > >https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > >Do not reply to spam on the list, report it: > >https://pagure.io/fedora-infrastructure > > -- > Computers amplify human error > Super computers are really cool > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure