Learn more about these different git repos.
Other Git URLs
In the case where a user has an expired password and an OTP token for second factor set, the user can not reset their password.
The expected outcome is that a user with an expired password and a valid token connects to a host via ssh is that pre-auth will discover that the user has an expired password and an OTP token from the directory (we use FreeIPA), then the user authorises with only the expired password, goes through the password reset process, and is then disconnected.
What happens is the user connects via ssh, is asked for their password, then the Current Password: prompt appears, fails and returns to the password: prompt. The password reset fails. So all connections are locked out.
Pretty sure it's a case covered by the TODO here: https://pagure.io/SSSD/sssd/blob/master/f/src/providers/ipa/ipa_auth.c#_395
More detail posted to the FreeIPA user list: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/I2ADJSI47I7R3KOEDBG2PDOHY7GFT4JH/#RKOE6BB6KK2EUSMQM6NF25WX6BTIL5L5
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.0
Metadata Update from @jhrozek: - Issue priority set to: major
Metadata Update from @jhrozek: - Issue tagged with: bug
In addition pam_sss says "Second Factor (optional):" when the second factor is required.
Metadata Update from @sbose: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1523019
Issue linked to Bugzilla: Bug 1523019
Metadata Update from @sbose: - Issue assigned to sbose
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 1.16.1 (was: SSSD 2.0)
Metadata Update from @jhrozek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4609
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.