On 07/11/2013 05:39 PM, KodaK wrote: > Just thought I'd pass along my work-around. > > I create a group for each host called hostname-access and populate > each group with the users allowed to connect. > > Then, using puppet, I push out an sshd_config that has "AllowGroups: > admins unixadmins hostname-access". > > The erb is: "AllowGroups: admins unixadmins <%= host %>-access" > > Then restart sshd. > > This is a lot of up-front work, but seems to be the easiest to > maintain in the long run (at least until we can get > AIX to honor HBAC rules.) Unfortunately, I can't have groups of > groups -- that would make initial setup even > easier -- but I'm used to not having everything, as you can see. :) > > This only works for sshd, obviously. We do currently have ftp and > telnet open (yeah, I know) but I'm trying > to get those turned off. In the meantime I can use tcp-wrappers to > only allow those machines that need > to connect. This is sub-optimal, since unauthorized users may be able > to telnet in from those machines.
Well it is something like this that I had in mind. But you have beaten me... Great to see you found an acceptable solution. > > --Jason > > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > > > _______________________________________________ > Freeipa-users mailing list > Freeipaemail@example.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users