On Tue, 04 Feb 2014, William Muriithi wrote:
Hello

I have an ipa-server-2.2.0-16.el6.x86_64 server serving different version
of ipa-clients and so far it has been good. I have noticed that some of our
DEVs have started to ssh into some of the systems that I had no intention
of making available through ssh.

I have tried to revoke specific group ssh permission from a certain host
and I don't seem to be having luck. I have only looked under policy and IPA
server tabs but these two tabs seem like they can only add more access/role
from the default user.

Would it be possible to deny ssh access per host without pulling a host off
FreeIPA management?
from-host part of the rule is not enforced by default due to the fact
that it is pretty easy to fake that one on connection.

You can try to create more specific rules allowing access to the
systems. With allow_all rule disabled these would help -- when there is
no rule for that user to access an SSH service on the host, it will not
be able to do so.

Are you using allow_all rule right now?

http://www.freeipa.org/page/Howto/HBAC_and_allow_all
--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to