#2594 [RFE] add warning for expired password when SSH keys are used
Closed: cloned-to-github 3 years ago by pbrezina. Opened 9 years ago by preichl.

This ticket relates to ticket #2167.

Currently if user password is expired and SSH keys are used as authentication method:

1) add a warning for pwd_expire_policy_warn case (access is allowed but we should warn anyway). [[BR]]
2) add a syslog messages for the pwd_expire_policy_reject case (access is denied).


Fields changed

description: This ticket relates to ticket #2167.

Currently if user password is expired and SSH keys are used as authentication method:

1) add a warning for pwd_expire_policy_warn case (access is allowed but we should warn anyway).
2) add a syslog messages for the pwd_expire_policy_reject case (access is denied). => This ticket relates to ticket #2167.

Currently if user password is expired and SSH keys are used as authentication method:

1) add a warning for pwd_expire_policy_warn case (access is allowed but we should warn anyway). [[BR]]
2) add a syslog messages for the pwd_expire_policy_reject case (access is denied).

Fields changed

milestone: NEEDS_TRIAGE => SSSD Deferred

Fields changed

rhbz: => todo

Metadata Update from @preichl:
- Issue set to the milestone: SSSD Patches welcome

7 years ago

Any news when this feature could appear with support for ActiveDirectory? There is a virtual LDAP attribute computed for each user object msDS-UserPasswordExpiryTimeComputed. Type of this attribute according to MS docs is "LargeInteger Date", similar to unix timestamp but with higher precision - time in 100 nanosecond intervals since 12:00 A.M. January 1, 1601 UTC So it would be relatively easy use this attribute for detecting expired passwords when alternative authentication method is used.

I think there was a duplicate ticket created from bugzilla few months ago: https://pagure.io/SSSD/sssd/issue/4119

But we do not currently plan it for near future.

Metadata Update from @pbrezina:
- Custom field design_review reset (from 0)
- Custom field mark reset (from 0)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None

4 years ago

Metadata Update from @pbrezina:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1765354 (was: todo)
- Custom field testsupdated reset (from false)

4 years ago

Metadata Update from @pbrezina:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field testsupdated reset (from false)
- Issue set to the milestone: None (was: SSSD Patches welcome)

4 years ago

I removed milestone so we can triage it.

Metadata Update from @pbrezina:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field testsupdated reset (from false)

4 years ago

As this is rather important feature for us I developed sort of a hackish solution to workaround this issue. The basic architecture combines SSSD InfoPipe attribute publishing (AD provides virtual attribute, which holds the calculated password expiration time) and custom python helper script, which interacts with InfoPipe through Dbus service and acts on that published attribute. Helper script is invoked by pam_exec in PAM account phase. This is more or less the way I have worked around this issue.

Metadata Update from @pbrezina:
- Custom field design_review reset (from false)
- Custom field mark reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field testsupdated reset (from false)
- Issue tagged with: bugzilla

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3635

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @pbrezina:
- Issue close_status updated to: cloned-to-github
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata