[Freeipa-users] Host based access control and IPA
David Miller
millerdc at fusion.gat.com
Thu Jan 8 02:39:04 UTC 2009
I'm trying to get host based access working. I followed the
instructions on doing host based access control. Here is the URL to
the section to see what I'm referring to.
http://freeipa.org/page/AdministratorsGuide#Configuring_Host-Based_Access_Control
I'm trying to limit which machines users can SSH into. I have a host
setup to only allow root, a group called managers, a group called
theory, and deny all at the end. What I'm finding is that if I create
a user account that is not apart of either of those groups it denies
access like it should. However, if I add the user to either of those
groups after the user has attempted to login, it still won't let them
in if they try after I add them to the group. If I create a new user
and add said user to one of those groups at creation time it will
allow them in like it should. After logging in once and removing the
user from those groups it still allows the user to log in later. The
machine using host based access control seems to be caching whether
the user belongs to a group or not the first time they attempt a
login. How do you force the machine to check the IPA server to see
what groups the user belongs to each time they attempt to SSH in?
Thanks.
More information about the Freeipa-users
mailing list