On 24/05/2024 13:07, Sam Morris via FreeIPA-users wrote:
On non-IPA clients I'm using AllowUsers/AllowGroups to restrict which
local users are able to SSH into a system.
On IPA clients I am using HBAC to control the same for IPA users. But
what's the best way to control which local users can SSH in to an IPA
client?
Sorry, I forgot to add "... without disrupting access to the IPA client
for IPA users".
It looks like I could modify the ipausers group to be a POSIX group, and
then put 'AllowGroups ipausers' into sshd_config. That way all local
users would be denied, and all IPA suers would be allowed, with
pam_sss.so later controlling access based on HBAC.
I found this in the FreeIPA 2.2.0 release notes:
"On new installations the default users group, ipausers, is now
non-POSIX to speed up user enumeration in SSSD. To make ipausers a POSIX
group run ipa group-mod –posix ipausers."
So it seems like this is a safe and normal thing to do. I wonder if
there are any references to the user enumeration performance issue in
SSSD? My own domain doesn't have many users, but I'm also considering
doing this at work, and I'd like to understand the sorts of issues it
might cause.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
