>> Would it be possible to deny ssh access per host without pulling a host off >> FreeIPA management? > > from-host part of the rule is not enforced by default due to the fact > that it is pretty easy to fake that one on connection. > > You can try to create more specific rules allowing access to the > systems. With allow_all rule disabled these would help -- when there is > no rule for that user to access an SSH service on the host, it will not > be able to do so. > > Are you using allow_all rule right now? > Yes, the all_allow rule was in place. I didn't see the allow all from the browser though and wasn't aware of it either.
After I disabled it, I was able to achieve selective access. Thank you very much. > http://www.freeipa.org/page/Howto/HBAC_and_allow_all > -- > / Alexander Bokovoy William
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users