[Freeipa-users] HBAC issues
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Thu Jan 5 22:07:59 UTC 2012
On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
> On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
>> Yes that look about right, not able to confirm 100%, but that is
>> probably the issue.
>
>
> We're looking into it. However, I should point out that using srchost is
> a very unreliable means of restricting access. There are numerous
> problems with it, most notably because we have to rely on what PAM sends
> us in the srchost field, which is not defined in the spec, so different
> applications such as 'login' and 'sshd' sometimes put different values
> in those fields.
>
> In SSSD upstream, we're defaulting to ignoring srchost rules because
> they're 1) unreliable and 2) cause significant performance impact on
> networks with lots of host entries.
>
> Our general recommendation is that if you want to restrict access from
> specific hosts, it's usually a better idea to do this at the firewall
> level, rather than the HBAC level.
Well that kind of puts that whole HBAC thing on the skids doesn't it?
Unfortunate that it works that way, and yes firewalling is always a good
option.
Thanks for the info,
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120105/a207cdab/attachment.sig>
More information about the Freeipa-users
mailing list