On Thu, Apr 21, 2016 at 01:26:19PM -0400, Steve Huston wrote:
> On Tue, Apr 19, 2016 at 11:57 AM, Jakub Hrozek <jhro...@redhat.com> wrote:
> > Did you test that this actually fails with id_provider=ipa? I would
> > assume the IPA KDC would kick you out and prompt for a new password..
> 
> If you're using a password, yes it kicks back and requires you to
> change it.  The problem is if you're not using a password to
> authenticate, but instead using an SSH key, then it appears there's no
> hooks to check with IPA if the password (or the principal itself) is
> expired and the user is allowed to continue to login.  The
> "recommended" way to do this in RHEL6 is to set access_provider to
> ldap in sssd, but that doesn't seem to cover all cases and doesn't
> play well with other IPA things (like HBAC) from what I can tell.

Then in my opinion SSSD is behaving correctly there. It wouldn't let in
a locked user (it would check the nsaccountlock attribute), but I'm not
sure it would be correct to check krbPasswordExpiration if you're using
a completely different method to authenticate..

Moreover, if you login through an SSH key, you don't get a ticket on
login and you can't kinit, so you can't access any network resources
anyway..

But to be honest, this is something we discussed even among IPA
developers and we're not in total agreement here either, so maybe others
will overrule me :)

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to