Does using an SSH jump host count as a login?
I have asked for a service account from the AD guys that will let me use a specific server as an SSH jumphost (using ProxyJump), and of course I've set up an SSH private key for the purpose. The jumphost itself is running SSSD to authenticate users against the AD.
However, I have been warned that if the AD LastLoginTimeStamp attribute on the service account gets too old, the account will be purged. So the question is, will whatever SSSD does on behalf of the pam modules that SSHD activates for a tunnel-only login (no user command) actually update that time stamp? Looking up the user's groups with LDAP is presumably not enough, but what is? I can do the research on the Linux side to see what SSSD does, but I don't have easy access to the AD side to check if the time stamp updates.
In theory AD attribute lastLogonTimestamp is updated after one of the following:
- interactive or network NTLM logon
- LDAP simple bind
So this will depend on the mechanism used by the service (sorry, I have no experience with JumpHost or SSSD).
In my personal experience some services integrated with AD via LDAP use their service account successfully, but attribute value is not updated. I didn't have a chance to figure out why exactly this happens, but since it's a different story with every service, I think the only safe bet is to try and see for yourself. The attribute should be update at once during first login. Afterwards, the value can be up to 14 days late.
Please check attribute technical spec for more information.
Couple of things to make sure in case of troubleshooting:
- AD has a history of bugs when the attribute lastLogonTimestamp isn't updated when it should. Last one I remember was patched 3 years ago (KB4457127)
- AD attribute msDS-LogonTimeSyncInterval must be non-zero. Otherwise lastLogonTimestamp will not be updated
Hope this helps