On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
> Yes that look about right, not able to confirm 100%, but that is
> probably the issue.

We're looking into it. However, I should point out that using srchost is
a very unreliable means of restricting access. There are numerous
problems with it, most notably because we have to rely on what PAM sends
us in the srchost field, which is not defined in the spec, so different
applications such as 'login' and 'sshd' sometimes put different values
in those fields.

In SSSD upstream, we're defaulting to ignoring srchost rules because
they're 1) unreliable and 2) cause significant performance impact on
networks with lots of host entries.

Our general recommendation is that if you want to restrict access from
specific hosts, it's usually a better idea to do this at the firewall
level, rather than the HBAC level.

Attachment: signature.asc
Description: This is a digitally signed message part

Freeipa-users mailing list

Reply via email to