On 01/25/2013 11:28 AM, Matthew Barr wrote: > I need to add a few users that can authenticate with IPA (LDAP, in > some cases, kerberos in others), but can't SSH into hosts. > > I'm guessing the best option is to use some sort of group restriction > on the SSH /host side, vs anything else in IPA? > > Thanks! > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users
You can define Host-Based-Access-Control policies. By default any user is allowed to authenticate anywhere. There are no deny HBAC rules so you need to define which users are allowed to do what in your environment. HBAC rules are enforced by SSSD. This means that if you have an app that uses LDAP or kerberos auth bypassing pam stack the HBAC rules do not apply. You need to think it through very well because once you disable the default rule you might get into the situation where the legit authentication of the legit users is denied becuase you have not created a rule allowing those users to login. AFAIK there is also some kind of "no shell" capability in SSH which might be useful in this case but I am not a specialist in this area. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users