Gerhard Kremer via FreeIPA-users wrote: > Greetings all, > > is it possible to force-logout a user? I was thinking of implementing a > continuously-running process that, when some conditions are met, e.g. > revokes a user's Kerberos TGT and effectively destroys their session(s). > Would this affect the credentials cache? If not, what is the best way of > removing those as well?
Process running where? The TGT will be valid through its issuance time. There are ccache types you wouldn't be able to clear (MEMORY, for example) Force logout a user from what? The WebUI? A ssh login? What about a ssh login using ssh keys? > Failing that, I'd like to disable the account with ipa user-disable -- > does disabling immediately block an already-logged user? No. It is only checked during authentication. > My aim is to immediately prevent users meeting certain conditions from > carrying out any further actions. Any suggestions or caveats on the > best way to accomplish this would be appreciated. I'm not aware of a way to do this. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
