Am Thu, Jun 02, 2022 at 02:22:54PM -0400 schrieb Rob Crittenden via FreeIPA-users: > Jim Kinney via FreeIPA-users wrote: > > It seems if valid ssh keys exist, the expired account status doesn't > > block login with ssh keys. Any operation that touches a password is > > blocking. > > Is there a pam setting in sshd that needs tweaking to deny access if > > account is expired? > > You may want to cross post this on sssd-users.
Hi, in general SSSD can handle this case with 'access_provider = ldap' and pwd_expire_policy_reject, pwd_expire_policy_warn or pwd_expire_policy_renew in 'ldap_access_order', see man sssd-ldap for details. Unfortunately this removes the HBAC features of 'access_provider = ipa'. We are currently working on making the ldap features available in ipa as well, see https://github.com/SSSD/sssd/issues/5080 and the related pull-request. HTH bye, Sumit > > rob > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
