Re: [Freeipa-users] SSH access to only specific hosts useding ssh keys

2017-04-12 Thread Jakub Hrozek 
On Tue, Apr 11, 2017 at 10:50:34PM -0400, Tym Rehm wrote:
> So I want a user "bob" to ssh into server1 as the username of "support"
> with support@server1, but not let Bob ssh into support@server2. I have
> Bob's ssh public key added to the support user. I can block Bob from
> server1 or server2 with HBAC, but I have to add support to both servers and
> since Bob's keys are added to Support. The support account is able to ssh
> into both servers.

Yeah, I think id views could help here, but I haven't tested it myself.

> 
> I've looked into ID view, but I'm having troubles find a good document on
> how to setup ID views.

Does this help?

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/id-views.html

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH access to only specific hosts useding ssh keys

2017-04-11 Thread Tym Rehm 
So I want a user "bob" to ssh into server1 as the username of "support"
with support@server1, but not let Bob ssh into support@server2. I have
Bob's ssh public key added to the support user. I can block Bob from
server1 or server2 with HBAC, but I have to add support to both servers and
since Bob's keys are added to Support. The support account is able to ssh
into both servers.

I've looked into ID view, but I'm having troubles find a good document on
how to setup ID views.

On Mon, Apr 10, 2017 at 2:17 AM, Jakub Hrozek  wrote:

> On Mon, Apr 10, 2017 at 12:04:58AM -0400, Tym Rehm wrote:
> > Hey all, New user here.
> >
> > I have a user "user1" that I want to allow a couple of different users
> > "userX and userY" to be allowed to ssh into "server1" and "server2", but
> > not both servers using ssh-keys.
> >
> > So as an example. UserX will ssh user1@server2 with ssh-key, but I don't
> > want userY to be able to successfully run the same command.
> >
> > I currently have userX and userY's public ssh-key attached to user1 and I
> > have created a HBAC rule to allow user1 to connect with ssh on both
> server1
> > and server2. This is allowing user1 to connect to both servers fine,
> > without a password. It also is allowing users (X & Y) to ssh
> user1@server1
> > and user1@server2.
> >
> > How can stop that to restrict userX to be able to ssh as user1 on
> server1,
> > but not server2?
> >
> > Do I need to do something with the keytabs or add the ssh-keys for userX
> to
> > the server1 host only?
>
> I'm honestly not sure if I understand the problem well, but would it be
> helpful to add SSH keys to an ID view that is attached to one of the
> servers only?
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
--
Do not meddle in the affairs of dragons cause you are crunchy and good with
ketchup.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] SSH access to only specific hosts useding ssh keys

2017-04-10 Thread Jakub Hrozek 
On Mon, Apr 10, 2017 at 12:04:58AM -0400, Tym Rehm wrote:
> Hey all, New user here.
> 
> I have a user "user1" that I want to allow a couple of different users
> "userX and userY" to be allowed to ssh into "server1" and "server2", but
> not both servers using ssh-keys.
> 
> So as an example. UserX will ssh user1@server2 with ssh-key, but I don't
> want userY to be able to successfully run the same command.
> 
> I currently have userX and userY's public ssh-key attached to user1 and I
> have created a HBAC rule to allow user1 to connect with ssh on both server1
> and server2. This is allowing user1 to connect to both servers fine,
> without a password. It also is allowing users (X & Y) to ssh user1@server1
> and user1@server2.
> 
> How can stop that to restrict userX to be able to ssh as user1 on server1,
> but not server2?
> 
> Do I need to do something with the keytabs or add the ssh-keys for userX to
> the server1 host only?

I'm honestly not sure if I understand the problem well, but would it be
helpful to add SSH keys to an ID view that is attached to one of the
servers only?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] SSH access to only specific hosts useding ssh keys

2017-04-09 Thread Tym Rehm 
Hey all, New user here.

I have a user "user1" that I want to allow a couple of different users
"userX and userY" to be allowed to ssh into "server1" and "server2", but
not both servers using ssh-keys.

So as an example. UserX will ssh user1@server2 with ssh-key, but I don't
want userY to be able to successfully run the same command.

I currently have userX and userY's public ssh-key attached to user1 and I
have created a HBAC rule to allow user1 to connect with ssh on both server1
and server2. This is allowing user1 to connect to both servers fine,
without a password. It also is allowing users (X & Y) to ssh user1@server1
and user1@server2.

How can stop that to restrict userX to be able to ssh as user1 on server1,
but not server2?

Do I need to do something with the keytabs or add the ssh-keys for userX to
the server1 host only?

Sorry if this is confusing and thank you for your help on this.


-- 
--
Do not meddle in the affairs of dragons cause you are crunchy and good with
ketchup.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project