On Mon, Feb 26, 2024 at 12:38 PM Alexey Tikhonov <atikh...@redhat.com> wrote:
> > > On Fri, Feb 23, 2024 at 12:06 PM John Doe <jdoe53...@gmail.com> wrote: > >> Hello >> >> I'm wondering if there's any way to access the informational message >> about password expiration given upon login when using cached credentials? >> When having pam_verbosity = 2 in sssd.conf, the following informational >> message is given; >> "Authenticated with cached credentials, your cached password will expire >> at Sat Apr 20 15:41:18 2024" >> >> Now I know I can calculate the time for expiration myself by checking the >> 'offline_credentials_expiration' value in sssd.conf and add that to the >> timestamp for cache entry last update time reported by 'sudo sssctl >> user-show $USER' but both of these require root access. I need to get the >> expiration timestamp as a regular user. >> >> The reason for this is that we do have a large number of external >> developers who are all given laptops with the company Linux image applied, >> having them log in using their Active Directory credentials. They do have >> VPN access but the nature of the projects they're working on they seldom >> need to be connected to our network :-( >> I was thinking I could create a little script/application that notifies >> them a few days ahead of password expiration to remind them to connect to >> the VPN. >> >> I was thinking of 'sss_cache' as that can run as a regular user but that >> can't give me the timestamp :-( >> Worst case, I can perhaps write somethinh in python, but that depends of >> the availability of APIs and maybe that still will require root access. >> >> > Hi, > > cache files (content of `/var/lib/sss/db/`) are typically owned either by > root:root or by sssd:sssd and aren't readable by others. > > So it doesn't matter if it's a 3rd party script or an existing tool > (sssctl, sss_cache) - it will require privileges anyway (you can set > CAP_DAC_READ file capability on your executable, if you don't want to run > it under "full" root). > > *sorry, `CAP_DAC_OVERRIDE`, of course.
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue