I have set krbPrincipalExpiration but it's not referenced as far as I can tell.
That setting will block use of a password which is why I was thinking a pam
setting change for sshd would pull it in. But password in pam uses the same pam
functions as sshd. Is there a sssd.conf setting to also be consulted with sshd?
On June 2, 2022 4:54:11 PM EDT, Gordon Messmer <[email protected]> wrote:
>On 6/2/22 13:36, Jim Kinney wrote:
>> It seems if valid ssh keys exist, the expired account status doesn't
>> block login with ssh keys.
>
>
>I believe that's because *users* don't expire. *Passwords* do. If you
>aren't authenticating with passwords, then password expiration doesn't
>affect the account.
>
>This is one of the reasons that users should consider using Kerberos,
>or
>SSH certificate systems, rather than SSH keys.
>
>https://smallstep.com/blog/use-ssh-certificates/
>_______________________________________________
>sssd-users mailing list -- [email protected]
>To unsubscribe send an email to [email protected]
>Fedora Code of Conduct:
>https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives:
>https://lists.fedorahosted.org/archives/list/[email protected]
>Do not reply to spam on the list, report it:
>https://pagure.io/fedora-infrastructure
--
Computers amplify human error
Super computers are really cool
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
