On 11/09/2012 08:11 AM, Stephen Gallagher wrote: > On Fri 09 Nov 2012 05:10:10 AM EST, Sumit Bose wrote: >> On Fri, Nov 09, 2012 at 10:56:21AM +0100, Ondrej Valousek wrote: >>> I would like to get a similar functionality as for netgroups - i.e. >>> who can login where and from where using which mechanism. >>> HBAC only offers possibility to control who can login where, I >>> suppose, right? >>> >>> If I wanted to also control the from where and which mechanism (i.e. >>> ssh/telnet/nfs) then only netgroups will help me right? >> >> HBAC also covers the mechanism (in HBAC it is called service). To alos >> get the 'from where' you have to set ipa_hbac_support_srchost in >> sssd.conf. Please note that determine the source host is not reliable >> and depends on the PAM clients (sshd, telnetd, nfsd...). >> > > > I just want to note that source-host rules with netgroups are > unreliable as well for the same reasons. PAM has no secure way of > verifying that the rhost field is populated with accurate data and > there is also no universal standard for what form the contents must > take (DNS hostname vs IP address, etc.). Thus, it's never safe to rely > on origin. That's the reason we stopped supporting this by default in > SSSD.
Yes exactly. We wanted to use the source host but it turned to be a nightmare. So you might be better off restricting access via firewall rules and allow ssh access only from a subset off systems. This is a much more reliable way of controlling the source of the connection. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
