[Freeipa-users] HBAC issues
Stephen Gallagher
sgallagh at redhat.com
Thu Jan 5 20:54:15 UTC 2012
On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
> Yes that look about right, not able to confirm 100%, but that is
> probably the issue.
We're looking into it. However, I should point out that using srchost is
a very unreliable means of restricting access. There are numerous
problems with it, most notably because we have to rely on what PAM sends
us in the srchost field, which is not defined in the spec, so different
applications such as 'login' and 'sshd' sometimes put different values
in those fields.
In SSSD upstream, we're defaulting to ignoring srchost rules because
they're 1) unreliable and 2) cause significant performance impact on
networks with lots of host entries.
Our general recommendation is that if you want to restrict access from
specific hosts, it's usually a better idea to do this at the firewall
level, rather than the HBAC level.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120105/6a8e64ce/attachment.sig>
More information about the Freeipa-users
mailing list