[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
KodaK
sakodak at gmail.com
Thu Jul 11 21:39:26 UTC 2013
Just thought I'd pass along my work-around.
I create a group for each host called hostname-access and populate each
group with the users allowed to connect.
Then, using puppet, I push out an sshd_config that has "AllowGroups: admins
unixadmins hostname-access".
The erb is: "AllowGroups: admins unixadmins <%= host %>-access"
Then restart sshd.
This is a lot of up-front work, but seems to be the easiest to maintain in
the long run (at least until we can get
AIX to honor HBAC rules.) Unfortunately, I can't have groups of groups --
that would make initial setup even
easier -- but I'm used to not having everything, as you can see. :)
This only works for sshd, obviously. We do currently have ftp and telnet
open (yeah, I know) but I'm trying
to get those turned off. In the meantime I can use tcp-wrappers to only
allow those machines that need
to connect. This is sub-optimal, since unauthorized users may be able to
telnet in from those machines.
--Jason
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/deda75e5/attachment.htm>
More information about the Freeipa-users
mailing list