On Jan 5, 2012, at 3:14 PM, "Stephen Gallagher" <sgall...@redhat.com> wrote:
> On Jan 5, 2012, at 5:48 PM, Erinn Looney-Triggs
> <erinn.looneytri...@gmail.com> wrote:
>> On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
>>> On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
>>>> Yes that look about right, not able to confirm 100%, but that is
>>>> probably the issue.
>>> We're looking into it. However, I should point out that using srchost is
>>> a very unreliable means of restricting access. There are numerous
>>> problems with it, most notably because we have to rely on what PAM sends
>>> us in the srchost field, which is not defined in the spec, so different
>>> applications such as 'login' and 'sshd' sometimes put different values
>>> in those fields.
>>> In SSSD upstream, we're defaulting to ignoring srchost rules because
>>> they're 1) unreliable and 2) cause significant performance impact on
>>> networks with lots of host entries.
>>> Our general recommendation is that if you want to restrict access from
>>> specific hosts, it's usually a better idea to do this at the firewall
>>> level, rather than the HBAC level.
>> Well that kind of puts that whole HBAC thing on the skids doesn't it?
> Well, target host works fine. The real problem is with accurately identifying
> the remote host that the connection originated from.
> So you can still write rules that say "only these users can log onto these
If you absoluelty must use it I have found that access.conf works well enough
to limit srchost ssh access:
>> Unfortunate that it works that way, and yes firewalling is always a good
>> Thanks for the info,
> Freeipa-users mailing list
Freeipa-users mailing list