Re: [Freeipa-users] About AllowGroups with sshd
On (14/09/16 08:37), Jose Alvarez R. wrote: >Hi Jakub > >Thanks for your response. It's an option, but my backups servers I will not >add to the FreeIPA server. > >Then, I cannot use the option HBAC, because I want my backup server can >connect with root to some client server of my FreeIPA Server. > root is not handled by sssd/freeIPA. It is a local user; and thus access cannot be denied by HBAC. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] About AllowGroups with sshd
Hi Jakub Thanks for your response. It's an option, but my backups servers I will not add to the FreeIPA server. Then, I cannot use the option HBAC, because I want my backup server can connect with root to some client server of my FreeIPA Server. If I'm doing something wrong, please let me know Thanks, Regards Jose Alvarez R. -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Jakub Hrozek Sent: martes 13 de septiembre de 2016 02:22 a.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] About AllowGroups with sshd On Mon, Sep 12, 2016 at 10:00:57AM -0600, Jose Alvarez R. wrote: > Hello > > > > I have an question > > > > I have an FreeIPA 3.0 server(CentOS 6) with some clients servers(CentOS 6). > I wants enable root a two servers this servers, because they are > backup servers. > > > > I add theses lines in /etc/ssh/sshd_config of a client server. > > > > AllowUsers root@192.168.20.2 > > AllowUsers root@192.168.20.90 > > PermitRootLogin yes > > > > This working, but when try login with my user IPA, I can't login. > > > > I add the line "AllowGroups" with my group of users_IPA > > > > AllowGroups > > > > But not working, Can you help me ? > > > > Thanks, Regards > > > > Jose Alvarez. I know I'm not answering your question directly, but isn't it better to use HBAC with IPA and centralize the access control rather than edit config files on the clients? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] About AllowGroups with sshd
On Mon, Sep 12, 2016 at 10:00:57AM -0600, Jose Alvarez R. wrote: > Hello > > > > I have an question > > > > I have an FreeIPA 3.0 server(CentOS 6) with some clients servers(CentOS 6). > I wants enable root a two servers this servers, because they are backup > servers. > > > > I add theses lines in /etc/ssh/sshd_config of a client server. > > > > AllowUsers root@192.168.20.2 > > AllowUsers root@192.168.20.90 > > PermitRootLogin yes > > > > This working, but when try login with my user IPA, I can't login. > > > > I add the line "AllowGroups" with my group of users_IPA > > > > AllowGroups > > > > But not working, Can you help me ? > > > > Thanks, Regards > > > > Jose Alvarez. I know I'm not answering your question directly, but isn't it better to use HBAC with IPA and centralize the access control rather than edit config files on the clients? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] About AllowGroups with sshd
Hello I have an question I have an FreeIPA 3.0 server(CentOS 6) with some clients servers(CentOS 6). I wants enable root a two servers this servers, because they are backup servers. I add theses lines in /etc/ssh/sshd_config of a client server. AllowUsers root@192.168.20.2 AllowUsers root@192.168.20.90 PermitRootLogin yes This working, but when try login with my user IPA, I can't login. I add the line "AllowGroups" with my group of users_IPA AllowGroups But not working, Can you help me ? Thanks, Regards Jose Alvarez. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project