We are using Freeipa to our satisfaction.

We are trying to create a bastion/jumphost/... and in order to do it, we want 
to protect the bastion so that nobody can access it directly (except of course 
some admin people).
And at the same time, we want that the users access some hosts through the 
bastion via ssh proxy.

Manually it works as expected. Let say that I have a user `testuser`, this user 
has a ssh key like this one `ssh-ed25519 AAAAC3N testu...@example.com`.

So on the bastion, I will create the following entry in the authorized_keys for 
the testuser:

no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 AAAAC3N 

And in the other hosts, I will use the ssh key:

                ssh-ed25519 AAAAC3N testu...@example.com

How can I give some SSH key restrictions per host? From what I’ve seen in 
freeipa, you can either give the restriction in the ssh key for the user, as 
the first entry or the second, and it will apply to every server without any 
possibility to customization.

An extension to that would be, If I am connecting from our internal network 
(, then you could connect to the bastion directly, but if you 
are outside the internal network, then you cannot... and in that case, the ssh 
entries in authorized_keys would be something like that:

                from=”” ssh-ed25519 AAAAC3N testu...@example.com
Not-Permitted" ssh-ed25519 AAAAC3N testu...@example.com

Is there a way to do that in freeipa? Because I would like to avoid as much as 
possible to handle the ssh keys “manually” outside from freeipa...

Thank you very much in advance for your help.


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to