Bug 1765354

Summary: [RFE] - Show password expiration warning when IdM users login with SSH keys
Product: Red Hat Enterprise Linux 9 Reporter: Brian Smith <briasmit>
Component: sssdAssignee: Alejandro López <allopez>
Status: VERIFIED --- QA Contact: Jakub Vavra <jvavra>
Severity: low Docs Contact:
Priority: medium    
Version: 9.0CC: aboscatt, afarley, allopez, atikhono, dchen, fcami, grajaiya, jvavra, lslebodn, mzidek, pasik, pbrezina, pkettman, rcritten, sbose, sgadekar, suwu, thalman, tscherf
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.9.1-1.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian Smith 2019-10-24 21:56:33 UTC 
Description of problem:
When an IdM user logs in with SSH key based authentication, they do not see password expiration warnings.  Customer would like to see password expiration warnings even when logging in with SSH keys so users can proactively change their passwords before they expire.  


Version-Release number of selected component (if applicable):
RHEL 7.7 IdM


How reproducible:
Everytime


Steps to Reproduce:
1. Login to RHEL 7 server with IdM user using SSH key authentication, and with a password expiring soon

Actual results:
No password expiration warning is shown


Expected results:
Password expiration warning is shown


Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1654395#c3 mentioned "potentially provide an additional LDAP control for non-Kerberos/non-LDAP auth (ssh public keys, etc) to allow advisory notification from SSSD during PAM session phase"   I'm not sure if this would allow for password expiration warnings for users logging in with SSH keys or not.
Comment 3 François Cami 2019-10-25 12:03:59 UTC 
hi Sumit, could you please decide whether it makes sense to re-assign this bz to sssd? I think it does and it should be linked to https://pagure.io/SSSD/sssd/issue/4077
Comment 5 Sumit Bose 2019-10-25 13:59:15 UTC 
Hi,

yes this is an SSSD issue but not strictly related to https://pagure.io/SSSD/sssd/issue/4077.

If you set

    ldap_pwd_policy = mit_kerberos
    ldap_access_order = pwd_expire_policy_warn
    access_provider = ldap

in the [domain/...] section of sssd.conf it would already work

    -sh-4.2$ id
    uid=1999600009(ipauser02) gid=1999600009(ipauser02) Gruppen=1999600009(ipauser02),1999600005(posixgroup1),1999600006(posixgroup2) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    -sh-4.2$ ssh  localhost
    Your password will expire in 46 minute(s).
    Last login: Fri Oct 25 15:48:51 2019 from localhost
    -sh-4.2$ id
    uid=1999600009(ipauser02) gid=1999600009(ipauser02) Gruppen=1999600009(ipauser02),1999600005(posixgroup1),1999600006(posixgroup2) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

but with this you will loose all HABC and other IPA access control of course. So this functionality should be added the the IPA provider as well.

Moving the ticket to SSSD.

bye,
Sumit
Comment 6 Pavel Březina 2019-11-19 13:06:34 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4119
Comment 7 Amy Farley 2019-12-11 19:55:28 UTC 
Moving this to RHEL 8 as RHEL 7 is too late in the Lifecycle.
Comment 10 Paweł Poławski 2021-12-20 10:27:32 UTC 
Upstream PR is ready: https://github.com/SSSD/sssd/pull/5928
Comment 21 Alexey Tikhonov 2022-07-25 15:50:41 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6254
Comment 25 Alexey Tikhonov 2023-01-05 13:59:41 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6254

* `master`
    * ede02a201762df5130ccf8578f247bede9088b89 - MAN: Cosmetic changes to sssd-ldap.5
    * be84d6ee83e5c0f8ff6e0fd988f5cf344b25efe5 - PAM: Warn that the password has expired when using ssh keys
    * ae74a9d1f8e8698afdf38a2634d18018890c13d6 - IPA: Add password expiration warning when using ssh keys
    * 475052a29ba368a5da8b287c8b2e889769af1d3e - LDAP: Moved and renamed set_access_rules()
    * 11dab864e1dcf8ec362610263010e920556f6b93 - PAM: Localize some forgotten words.
    * 0da99b73e5cf50552a6460c9d3080d2c1e2864ff - SDAP: Fixed header file
Comment 35 Alexey Tikhonov 2023-05-30 15:09:24 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6758
Comment 36 Alexey Tikhonov 2023-06-06 12:24:14 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6758

* `master`
    * 7f28816479c694ff95939e3becfbcd43423a5744 - PAM: Fix a possible segmentation fault
* `sssd-2-9`
    * 6239f50f64f7884ad35ecbf01dfb26241671374a - PAM: Fix a possible segmentation fault