On 01/05/2012 11:54 AM, Stephen Gallagher wrote: > On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote: >> Yes that look about right, not able to confirm 100%, but that is >> probably the issue. > > > We're looking into it. However, I should point out that using srchost is > a very unreliable means of restricting access. There are numerous > problems with it, most notably because we have to rely on what PAM sends > us in the srchost field, which is not defined in the spec, so different > applications such as 'login' and 'sshd' sometimes put different values > in those fields. > > In SSSD upstream, we're defaulting to ignoring srchost rules because > they're 1) unreliable and 2) cause significant performance impact on > networks with lots of host entries. > > Our general recommendation is that if you want to restrict access from > specific hosts, it's usually a better idea to do this at the firewall > level, rather than the HBAC level.
Well that kind of puts that whole HBAC thing on the skids doesn't it? Unfortunate that it works that way, and yes firewalling is always a good option. Thanks for the info, -Erinn
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users