On Tue, Nov 27, 2012 at 02:01:48PM -0800, Iain Morgan wrote: > On Tue, Nov 27, 2012 at 15:00:42 -0600, Stephen Gallagher wrote: > > On Tue 27 Nov 2012 03:51:55 PM EST, Iain Morgan wrote: > > > Hello, > > > > > > I recently began experimenting with sssd (1.8.0) and have run into an > > > issue with its support for password expiration. Specifically, the case > > > where sssd is configured to use LDAP and the user authenticates via SSH > > > public-key. > > > > > > If a user connects via ssh to a host which is using sssd and > > > authenticates via a public-key, the only way to enforce password > > > expiration appears to be to set ldap_pwd_policy=shadow. However, sssd > > > will not attempt to change the password when the policy is thus set. > > > > > > I know that there are those who would argue that password expiration > > > should not be enforced when public-key authentication is used, but that > > > is an organizational policy decision. The expectation for the environment > > > which I deal with is that password expiration should be enforced, and > > > work, regardless of the method used for authentication. > > > > > > Is there some trick that I have overlooked or is this simply a design > > > limitation? If the shadow map were exposed, pam_unix.so could be used to > > > detect password expiration and pam_sss.so (with ldap_pwd_policy=none) > > > could be used to change the password, but that is not currently the > > > case. > > > > > > > Try setting: > > > > access_provider = ldap > > ldap_access_order = expire > > ldap_account_expire_policy = shadow > > > > That should do what you're looking for. It tells the SSSD to honor > > shadow expiration/locking policy during the PAM_ACCT_MGMT phase. This > > phase will occur regardless of what authentication mechanism you use. > > Hmm, I had overlooked ldap_account_expire_policy. Unfortunately, the > settings recommended above do not appear to have altered the situation. > I guess I need to spend some time looking at the debug output. >
If I understand your question correctly you would like to see a password change dialog (Old password: ... New password: ... Retype new password: ---) even when using ssh with public-key authentication? If this is the case I would to ask you to fila an enhancement ticket to the sssd trac instance at https://fedorahosted.org/sssd/ and describe your use-case. Currently sssd returns the corresponding PAM error code PAM_NEW_AUTHTOK_REQD only if an expired password was found during password based authentication and the PAM_ACCT_MGMT phase is purely used for access control. But as long as sssd can detect an expired password during PAM_ACCT_MGMT it would be possible to return PAM_NEW_AUTHTOK_REQD as well. Please note that this in not possible in all cases, e.g. if Kerberos authentication is used you typically can only detect that a password is expired by trying to authenticate with the correct password and check the responses form the KDC. HTH bye, Sumit > Thanks, > > -- > Iain Morgan > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
