Thank you for your comment, please see below: On Sun, Apr 30, 2017 at 3:51 AM, Alexander Bokovoy <aboko...@redhat.com> wrote:
> In FreeIPA HBAC rules we used to support source host access control. > However, it was disabled and deprecated. While SSSD still supports it, > PAM applications like sshd pass rhost information to PAM based on what > they received from their own clients. > > There is no normalized way to report a trusted rhost value, so you might > get both CIDR or host name or fully qualified host name or spoofed > host name from PAM application. > In the end, FreeIPA disabled source host access control on its side. > SSSD still would try to enforce source host if the rule has it set but > unmodified FreeIPA HBAC management command do not add source host > attributes into the rules, so they never get matched by SSSD. > >> Applied to ssh, is the rhost visible to SSSd the one that client reports to ssh server? Apologies if this is a stupid question, but is there any way inside the SSSD to get source IP/fqdn without using rhost set by client? That would help to avoid any spoofing possibility I guess. On the other hand to even spoof a remote host attacker needs to know which host/IP is allowed to access and also which form is entered into LDAP. > I would rather reuse existing HBAC infrastructure for rule evaluation. >> > HBAC rule evaluation is separate from its representation in LDAP (or > anywhere else). It would be beneficial to have HBAC rule checking as a > separate access provider that either uses the same schema as FreeIPA > does or supports a subset of it. This way you'd use existing SSSD > infrastructure and only would need to write a code to pull LDAP > representation of HBAC rules. > > This is basically why I wrote on similar approach between this proposal and how host record is evaluated now. If host record evaluation uses HBAC infra, then I would gladly reuse that of course. > -- > / Alexander Bokovoy > _______________________________________________ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org > -- Best regards, Alexey Kamenskiy
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
