>> Would it be possible to deny ssh access per host without pulling a host
>> FreeIPA management?
> from-host part of the rule is not enforced by default due to the fact
> that it is pretty easy to fake that one on connection.
> You can try to create more specific rules allowing access to the
> systems. With allow_all rule disabled these would help -- when there is
> no rule for that user to access an SSH service on the host, it will not
> be able to do so.
> Are you using allow_all rule right now?
Yes, the all_allow rule was in place. I didn't see the allow all from the
browser though and wasn't aware of it either.

After I disabled it, I was able to achieve selective access.  Thank you
very much.
> http://www.freeipa.org/page/Howto/HBAC_and_allow_all
> --
> / Alexander Bokovoy
Freeipa-users mailing list

Reply via email to