On 07/08/2013 07:44 PM, KodaK wrote:
We've just discovered that AIX does not honor HBAC rules with telnet.
  ssh is fine.


no AIX expericence, but I once overheard someone that did something like
this using pam and apparently you could use the pam_permission module:

http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm

so you could add this to /etc/pam.conf

telnet auth requisite /usr/lib/security/pam_permission file=/etc/pam.groups.telnet found=allow

and create the file /etc/pam.groups.telnet with info like this:

+@mygroup1
+@mygroup2
-@mygroup3

in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
denied access.

You could even harden it even more with good old tcp_wrappers
(hosts.allow, hosts.deny).

If you have a config tool (cfengine, puppet, whatever), this could be
quite easy to distribute once properly tested.

Totally untested :-) but maybe worth a shot.

--
groet,
natxo

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to