Open klizhentas opened 2 years ago
I think we can use userdel
here and just have it run in the session
stack for PAM. If someone is still logged in, userdel
will fail, but after last logout, it will succeed. You can tell userdel
to not remove home directories as well, it just just update the user database.
Someone does need to verify this.
What
When our PAM module creates users, let's make the user entry last for a duration of the session. We can achieve that by specifying
useradd -r ttl
. Props to @jon-can for the idea. This aligns really well with the notion of expiring certificates we are using.https://goteleport.com/docs/server-access/guides/ssh-pam/#examples
While we are on it, can we improve UX by adding this script to our auto install:
https://goteleport.com/docs/server-access/guides/ssh-pam/#examples
Are there any downsides to make this automatic and work all the time when PAM is enabled?