Hi SSSd team, I was advised in IRC to send email to the group in order to discuss this functionality.
I am thinking about taking on implementing it as I have a need in such functionality. But I can also see that it would perhaps be interesting to many other users as well. Preamble: Now SSSd's LDAP backend only provides ability to have a restriction via host record to restrict access by verifying local hostname of machine (by either explicitly allowing or denying access as hostname) using ldap_access_order=host. My thought is that it would be good to have ability to perform similar access verification for rhost (IP or via DNS). Why is it relevant to me - I am (as part of my work) managing 1k+ hosts where we restrict ssh access to specific IP(s) using sshd_config AllowUsers option using (*@ip_address) record to only allow logins from well protected bastion server. It went pretty bad when IDC disaster happened and the bastion was N/A - there was no way to access hosts until access to bastion was restored. Meanwhile we manage ssh users and sudo access with LDAP, so it would be perfect if we could manage this in there as well. Why is it relevant to others - I've seen many cases when other companies/individuals are doing similar - restrict access to bastion server via either sshd_config or iptables (not even firewall as someone on IRC suggested). Proposal: I am thinking of following implementation: New sssd.conf option for ldap_access_order = rhost, which would enable rhost verification. New sssd.conf option ldap_user_authorized_rhost, which would carry similar meaning as ldap_user_authorized_host (that is the name of field in LDAP record containing rule). LDAP entry field I am thinking could also be similar to the current host field format - text Unicode field validated in order: explicit deny (!host), explicit allow (host), allow all (*) ending with deny all (default if no matching rule found). Validation could happen as follows: If the rhost is an IP address first lookup directly any matching rules, if none found attempt to fetch rDNS record for rhost and lookup match for it. If rhost is a hostname first lookup match directly, if none found fetch forward DNS record (that is A and AAAA records) and try to match all elements from returned list (not sure if sssd may receive hostname as rhost, but assume that as a possibility). Please let me know if this could be implemented as a part of LDAP backend of SSSD. If this proposal is accepted I could start working on implementation shortly. Best regards, akamenskiy
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
