On 26.09.17, 12:19, "Jakub Hrozek via FreeIPA-users" 
<freeipa-users@lists.fedorahosted.org> wrote:

    On Tue, Sep 26, 2017 at 09:54:40AM +0000, Alessandro Perucchi via 
FreeIPA-users wrote:
    > Hello,
    > We are using Freeipa to our satisfaction.
    > We are trying to create a bastion/jumphost/... and in order to do it, we 
want to protect the bastion so that nobody can access it directly (except of 
course some admin people).
    > And at the same time, we want that the users access some hosts through 
the bastion via ssh proxy.
    > Manually it works as expected. Let say that I have a user `testuser`, 
this user has a ssh key like this one `ssh-ed25519 AAAAC3N 
    > So on the bastion, I will create the following entry in the 
authorized_keys for the testuser:
    > no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 
AAAAC3N testu...@example.com
    > And in the other hosts, I will use the ssh key:
    >                 ssh-ed25519 AAAAC3N testu...@example.com
    > How can I give some SSH key restrictions per host? From what I’ve seen in 
freeipa, you can either give the restriction in the ssh key for the user, as 
the first entry or the second, and it will apply to every server without any 
possibility to customization.
    > An extension to that would be, If I am connecting from our internal 
network (, then you could connect to the bastion directly, but 
if you are outside the internal network, then you cannot... and in that case, 
the ssh entries in authorized_keys would be something like that:
    >                 from=”” ssh-ed25519 AAAAC3N 
    > from=”!”,no-pty,no-X11-forwarding,command="/bin/echo 
Not-Permitted" ssh-ed25519 AAAAC3N testu...@example.com
    > Is there a way to do that in freeipa? Because I would like to avoid as 
much as possible to handle the ssh keys “manually” outside from freeipa...
    > Thank you very much in advance for your help.
    > Regards,
    > Alessandro
    Did you consider creating an ID override for this host and only use the
    key in this override?

In fact, I have just found a better solution for my specific use case.
I create a technical user in freeipa, and this user contains an entry for each 
user allowed to go through the bastion only:

       no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 
AAAAC3N1 testus...@example.com
       no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 
AAAAC3N2 testus...@example.com
       no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 
AAAAC3N3 testus...@example.com

And that way I can script it in order to get the ssh key from the user and add 
it to my technical user :-) and the same to remove them!

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to