On Tue, Sep 26, 2017 at 09:54:40AM +0000, Alessandro Perucchi via FreeIPA-users 
> Hello,
> We are using Freeipa to our satisfaction.
> We are trying to create a bastion/jumphost/... and in order to do it, we want 
> to protect the bastion so that nobody can access it directly (except of 
> course some admin people).
> And at the same time, we want that the users access some hosts through the 
> bastion via ssh proxy.
> Manually it works as expected. Let say that I have a user `testuser`, this 
> user has a ssh key like this one `ssh-ed25519 AAAAC3N testu...@example.com`.
> So on the bastion, I will create the following entry in the authorized_keys 
> for the testuser:
> no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 
> AAAAC3N testu...@example.com
> And in the other hosts, I will use the ssh key:
>                 ssh-ed25519 AAAAC3N testu...@example.com
> How can I give some SSH key restrictions per host? From what I’ve seen in 
> freeipa, you can either give the restriction in the ssh key for the user, as 
> the first entry or the second, and it will apply to every server without any 
> possibility to customization.
> An extension to that would be, If I am connecting from our internal network 
> (, then you could connect to the bastion directly, but if you 
> are outside the internal network, then you cannot... and in that case, the 
> ssh entries in authorized_keys would be something like that:
>                 from=”” ssh-ed25519 AAAAC3N testu...@example.com
> from=”!”,no-pty,no-X11-forwarding,command="/bin/echo 
> Not-Permitted" ssh-ed25519 AAAAC3N testu...@example.com
> Is there a way to do that in freeipa? Because I would like to avoid as much 
> as possible to handle the ssh keys “manually” outside from freeipa...
> Thank you very much in advance for your help.
> Regards,
> Alessandro

Did you consider creating an ID override for this host and only use the
key in this override?
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to