On Tue, Sep 26, 2017 at 09:54:40AM +0000, Alessandro Perucchi via FreeIPA-users wrote: > Hello, > > We are using Freeipa to our satisfaction. > > We are trying to create a bastion/jumphost/... and in order to do it, we want > to protect the bastion so that nobody can access it directly (except of > course some admin people). > And at the same time, we want that the users access some hosts through the > bastion via ssh proxy. > > Manually it works as expected. Let say that I have a user `testuser`, this > user has a ssh key like this one `ssh-ed25519 AAAAC3N testu...@example.com`. > > So on the bastion, I will create the following entry in the authorized_keys > for the testuser: > > no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 > AAAAC3N testu...@example.com > > And in the other hosts, I will use the ssh key: > > ssh-ed25519 AAAAC3N testu...@example.com > > How can I give some SSH key restrictions per host? From what I’ve seen in > freeipa, you can either give the restriction in the ssh key for the user, as > the first entry or the second, and it will apply to every server without any > possibility to customization. > > An extension to that would be, If I am connecting from our internal network > (192.168.0.0/24), then you could connect to the bastion directly, but if you > are outside the internal network, then you cannot... and in that case, the > ssh entries in authorized_keys would be something like that: > > from=”192.168.0.0/24” ssh-ed25519 AAAAC3N testu...@example.com > from=”!192.168.0.0/24”,no-pty,no-X11-forwarding,command="/bin/echo > Not-Permitted" ssh-ed25519 AAAAC3N testu...@example.com > > Is there a way to do that in freeipa? Because I would like to avoid as much > as possible to handle the ssh keys “manually” outside from freeipa... > > Thank you very much in advance for your help. > > Regards, > Alessandro
Did you consider creating an ID override for this host and only use the key in this override? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org