On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
> On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
>> Yes that look about right, not able to confirm 100%, but that is
>> probably the issue.
> 
> 
> We're looking into it. However, I should point out that using srchost is
> a very unreliable means of restricting access. There are numerous
> problems with it, most notably because we have to rely on what PAM sends
> us in the srchost field, which is not defined in the spec, so different
> applications such as 'login' and 'sshd' sometimes put different values
> in those fields.
> 
> In SSSD upstream, we're defaulting to ignoring srchost rules because
> they're 1) unreliable and 2) cause significant performance impact on
> networks with lots of host entries.
> 
> Our general recommendation is that if you want to restrict access from
> specific hosts, it's usually a better idea to do this at the firewall
> level, rather than the HBAC level.

Well that kind of puts that whole HBAC thing on the skids doesn't it?
Unfortunate that it works that way, and yes firewalling is always a good
option.

Thanks for the info,
-Erinn


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to