RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1765354 - [RFE] - Show password expiration warning when IdM users login with SSH keys
Summary: [RFE] - Show password expiration warning when IdM users login with SSH keys
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: sssd
Version: 9.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: beta
: ---
Assignee: Alejandro López
QA Contact: Jakub Vavra
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-24 21:56 UTC by Brian Smith
Modified: 2023-11-07 11:31 UTC (History)
19 users (show)

Fixed In Version: sssd-2.9.1-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-07 08:54:17 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 3635 0 None open [RFE] add warning for expired password when SSH keys are used 2022-09-19 20:55:48 UTC
Github SSSD sssd issues 5080 0 None open [RFE] - Show password expiration warning when IdM users login with SSH keys 2022-09-19 20:55:49 UTC
Github SSSD sssd pull 6254 0 None open IPA: Add password expiration warning when using ssh keys 2022-09-19 20:55:52 UTC
Github SSSD sssd pull 6758 0 None Draft PAM: Fix a possible segmentation fault 2023-05-30 15:09:24 UTC
Red Hat Issue Tracker SSSD-3243 0 None None None 2022-03-08 13:31:33 UTC
Red Hat Product Errata RHBA-2023:6644 0 None None None 2023-11-07 08:54:35 UTC

Description Brian Smith 2019-10-24 21:56:33 UTC 
Description of problem:
When an IdM user logs in with SSH key based authentication, they do not see password expiration warnings.  Customer would like to see password expiration warnings even when logging in with SSH keys so users can proactively change their passwords before they expire.  


Version-Release number of selected component (if applicable):
RHEL 7.7 IdM


How reproducible:
Everytime


Steps to Reproduce:
1. Login to RHEL 7 server with IdM user using SSH key authentication, and with a password expiring soon

Actual results:
No password expiration warning is shown


Expected results:
Password expiration warning is shown


Additional info:
https://bugzilla.redhat.com/show_bug.cgi?id=1654395#c3 mentioned "potentially provide an additional LDAP control for non-Kerberos/non-LDAP auth (ssh public keys, etc) to allow advisory notification from SSSD during PAM session phase"   I'm not sure if this would allow for password expiration warnings for users logging in with SSH keys or not.
Comment 3 François Cami 2019-10-25 12:03:59 UTC 
hi Sumit, could you please decide whether it makes sense to re-assign this bz to sssd? I think it does and it should be linked to https://pagure.io/SSSD/sssd/issue/4077
Comment 5 Sumit Bose 2019-10-25 13:59:15 UTC 
Hi,

yes this is an SSSD issue but not strictly related to https://pagure.io/SSSD/sssd/issue/4077.

If you set

    ldap_pwd_policy = mit_kerberos
    ldap_access_order = pwd_expire_policy_warn
    access_provider = ldap

in the [domain/...] section of sssd.conf it would already work

    -sh-4.2$ id
    uid=1999600009(ipauser02) gid=1999600009(ipauser02) Gruppen=1999600009(ipauser02),1999600005(posixgroup1),1999600006(posixgroup2) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
    -sh-4.2$ ssh  localhost
    Your password will expire in 46 minute(s).
    Last login: Fri Oct 25 15:48:51 2019 from localhost
    -sh-4.2$ id
    uid=1999600009(ipauser02) gid=1999600009(ipauser02) Gruppen=1999600009(ipauser02),1999600005(posixgroup1),1999600006(posixgroup2) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

but with this you will loose all HABC and other IPA access control of course. So this functionality should be added the the IPA provider as well.

Moving the ticket to SSSD.

bye,
Sumit
Comment 6 Pavel Březina 2019-11-19 13:06:34 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4119
Comment 7 Amy Farley 2019-12-11 19:55:28 UTC 
Moving this to RHEL 8 as RHEL 7 is too late in the Lifecycle.
Comment 10 Paweł Poławski 2021-12-20 10:27:32 UTC 
Upstream PR is ready: https://github.com/SSSD/sssd/pull/5928
Comment 21 Alexey Tikhonov 2022-07-25 15:50:41 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6254
Comment 25 Alexey Tikhonov 2023-01-05 13:59:41 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6254

* `master`
    * ede02a201762df5130ccf8578f247bede9088b89 - MAN: Cosmetic changes to sssd-ldap.5
    * be84d6ee83e5c0f8ff6e0fd988f5cf344b25efe5 - PAM: Warn that the password has expired when using ssh keys
    * ae74a9d1f8e8698afdf38a2634d18018890c13d6 - IPA: Add password expiration warning when using ssh keys
    * 475052a29ba368a5da8b287c8b2e889769af1d3e - LDAP: Moved and renamed set_access_rules()
    * 11dab864e1dcf8ec362610263010e920556f6b93 - PAM: Localize some forgotten words.
    * 0da99b73e5cf50552a6460c9d3080d2c1e2864ff - SDAP: Fixed header file
Comment 35 Alexey Tikhonov 2023-05-30 15:09:24 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6758
Comment 36 Alexey Tikhonov 2023-06-06 12:24:14 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6758

* `master`
    * 7f28816479c694ff95939e3becfbcd43423a5744 - PAM: Fix a possible segmentation fault
* `sssd-2-9`
    * 6239f50f64f7884ad35ecbf01dfb26241671374a - PAM: Fix a possible segmentation fault
Comment 41 errata-xmlrpc 2023-11-07 08:54:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:6644
Note You need to log in before you can comment on or make changes to this bug.