Description of problem: When an IdM user logs in with SSH key based authentication, they do not see password expiration warnings. Customer would like to see password expiration warnings even when logging in with SSH keys so users can proactively change their passwords before they expire. Version-Release number of selected component (if applicable): RHEL 7.7 IdM How reproducible: Everytime Steps to Reproduce: 1. Login to RHEL 7 server with IdM user using SSH key authentication, and with a password expiring soon Actual results: No password expiration warning is shown Expected results: Password expiration warning is shown Additional info: https://bugzilla.redhat.com/show_bug.cgi?id=1654395#c3 mentioned "potentially provide an additional LDAP control for non-Kerberos/non-LDAP auth (ssh public keys, etc) to allow advisory notification from SSSD during PAM session phase" I'm not sure if this would allow for password expiration warnings for users logging in with SSH keys or not.
hi Sumit, could you please decide whether it makes sense to re-assign this bz to sssd? I think it does and it should be linked to https://pagure.io/SSSD/sssd/issue/4077
Hi, yes this is an SSSD issue but not strictly related to https://pagure.io/SSSD/sssd/issue/4077. If you set ldap_pwd_policy = mit_kerberos ldap_access_order = pwd_expire_policy_warn access_provider = ldap in the [domain/...] section of sssd.conf it would already work -sh-4.2$ id uid=1999600009(ipauser02) gid=1999600009(ipauser02) Gruppen=1999600009(ipauser02),1999600005(posixgroup1),1999600006(posixgroup2) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ ssh localhost Your password will expire in 46 minute(s). Last login: Fri Oct 25 15:48:51 2019 from localhost -sh-4.2$ id uid=1999600009(ipauser02) gid=1999600009(ipauser02) Gruppen=1999600009(ipauser02),1999600005(posixgroup1),1999600006(posixgroup2) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 but with this you will loose all HABC and other IPA access control of course. So this functionality should be added the the IPA provider as well. Moving the ticket to SSSD. bye, Sumit
Upstream ticket: https://pagure.io/SSSD/sssd/issue/4119
Moving this to RHEL 8 as RHEL 7 is too late in the Lifecycle.
Upstream PR is ready: https://github.com/SSSD/sssd/pull/5928
Upstream PR: https://github.com/SSSD/sssd/pull/6254
Pushed PR: https://github.com/SSSD/sssd/pull/6254 * `master` * ede02a201762df5130ccf8578f247bede9088b89 - MAN: Cosmetic changes to sssd-ldap.5 * be84d6ee83e5c0f8ff6e0fd988f5cf344b25efe5 - PAM: Warn that the password has expired when using ssh keys * ae74a9d1f8e8698afdf38a2634d18018890c13d6 - IPA: Add password expiration warning when using ssh keys * 475052a29ba368a5da8b287c8b2e889769af1d3e - LDAP: Moved and renamed set_access_rules() * 11dab864e1dcf8ec362610263010e920556f6b93 - PAM: Localize some forgotten words. * 0da99b73e5cf50552a6460c9d3080d2c1e2864ff - SDAP: Fixed header file
Upstream PR: https://github.com/SSSD/sssd/pull/6758
Pushed PR: https://github.com/SSSD/sssd/pull/6758 * `master` * 7f28816479c694ff95939e3becfbcd43423a5744 - PAM: Fix a possible segmentation fault * `sssd-2-9` * 6239f50f64f7884ad35ecbf01dfb26241671374a - PAM: Fix a possible segmentation fault