On Fri, 11 Jul 2014 14:08:27 +0200 Jakub Hrozek <[email protected]> wrote
> On Fri, Jul 11, 2014 at 11:20:25AM +0200, Michael Ströder wrote: > > On Fri, 11 Jul 2014 10:45:10 +0200 Jakub Hrozek <[email protected]> wrote > > > > > On Fri, Jul 11, 2014 at 08:58:10AM +0200, Michael Ströder wrote: > > > > > HBAC is very similar to this but already done for you. > > > > > > > > > > > > > > http://www.freeipa.org/docs/master/html-desktop/index.html#configuring-host-a > > > > > ccess > > > > > Does it also disallow LDAP read access to users/groups/sudoers which > > > are > not allowed to login or to be used on a host? > > > > > > No, it's pure access control evaluated during the PAM access phase. > > > > This means: If a server gets hacked the attacker can find out more about > > the rest of the server infrastructure by queyring FreeIPA's LDAP backend. > > I think this is more generic attack vector than just reading the info > from LDAP. If the attacker gains control over an IPA client, they can > impersonate the host completely, because they have access to the host > keytab.. > > bottom line -- set up sane ACIs :-) Yes, my ACLs limit what a server or service can see: Only the users, groups and sudoers rules it really needs. Somewhat the "side effect" of this is the authorization who can logon where... ;-) Ciao, Michael. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
