On Tue, Sep 26, 2017 at 09:54:40AM +0000, Alessandro Perucchi via FreeIPA-users
> We are using Freeipa to our satisfaction.
> We are trying to create a bastion/jumphost/... and in order to do it, we want
> to protect the bastion so that nobody can access it directly (except of
> course some admin people).
> And at the same time, we want that the users access some hosts through the
> bastion via ssh proxy.
> Manually it works as expected. Let say that I have a user `testuser`, this
> user has a ssh key like this one `ssh-ed25519 AAAAC3N testu...@example.com`.
> So on the bastion, I will create the following entry in the authorized_keys
> for the testuser:
> no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519
> AAAAC3N testu...@example.com
> And in the other hosts, I will use the ssh key:
> ssh-ed25519 AAAAC3N testu...@example.com
> How can I give some SSH key restrictions per host? From what I’ve seen in
> freeipa, you can either give the restriction in the ssh key for the user, as
> the first entry or the second, and it will apply to every server without any
> possibility to customization.
> An extension to that would be, If I am connecting from our internal network
> (192.168.0.0/24), then you could connect to the bastion directly, but if you
> are outside the internal network, then you cannot... and in that case, the
> ssh entries in authorized_keys would be something like that:
> from=”192.168.0.0/24” ssh-ed25519 AAAAC3N testu...@example.com
> Not-Permitted" ssh-ed25519 AAAAC3N testu...@example.com
> Is there a way to do that in freeipa? Because I would like to avoid as much
> as possible to handle the ssh keys “manually” outside from freeipa...
> Thank you very much in advance for your help.
Did you consider creating an ID override for this host and only use the
key in this override?
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org