Re: [Freeipa-users] Deny SSH access from selected host
>> Would it be possible to deny ssh access per host without pulling a host off >> FreeIPA management? > > from-host part of the rule is not enforced by default due to the fact > that it is pretty easy to fake that one on connection. > > You can try to create more specific rules allowing access to the > systems. With allow_all rule disabled these would help -- when there is > no rule for that user to access an SSH service on the host, it will not > be able to do so. > > Are you using allow_all rule right now? > Yes, the all_allow rule was in place. I didn't see the allow all from the browser though and wasn't aware of it either. After I disabled it, I was able to achieve selective access. Thank you very much. > http://www.freeipa.org/page/Howto/HBAC_and_allow_all > -- > / Alexander Bokovoy William ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Deny SSH access from selected host
On Tue, 04 Feb 2014, William Muriithi wrote: Hello I have an ipa-server-2.2.0-16.el6.x86_64 server serving different version of ipa-clients and so far it has been good. I have noticed that some of our DEVs have started to ssh into some of the systems that I had no intention of making available through ssh. I have tried to revoke specific group ssh permission from a certain host and I don't seem to be having luck. I have only looked under policy and IPA server tabs but these two tabs seem like they can only add more access/role from the default user. Would it be possible to deny ssh access per host without pulling a host off FreeIPA management? from-host part of the rule is not enforced by default due to the fact that it is pretty easy to fake that one on connection. You can try to create more specific rules allowing access to the systems. With allow_all rule disabled these would help -- when there is no rule for that user to access an SSH service on the host, it will not be able to do so. Are you using allow_all rule right now? http://www.freeipa.org/page/Howto/HBAC_and_allow_all -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
