Just thought I'd pass along my work-around.

I create a group for each host called hostname-access and populate each
group with the users allowed to connect.

Then, using puppet, I push out an sshd_config that has "AllowGroups: admins
unixadmins hostname-access".

The erb is:  "AllowGroups: admins unixadmins <%= host %>-access"

Then restart sshd.

This is a lot of up-front work, but seems to be the easiest to maintain in
the long run (at least until we can get
AIX to honor HBAC rules.)  Unfortunately, I can't have groups of groups --
that would make initial setup even
easier -- but I'm used to not having everything, as you can see. :)

This only works for sshd, obviously.  We do currently have ftp and telnet
open (yeah, I know) but I'm trying
to get those turned off.  In the meantime I can use tcp-wrappers to only
allow those machines that need
to connect.  This is sub-optimal, since unauthorized users may be able to
telnet in from those machines.


The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
Freeipa-users mailing list

Reply via email to