[Freeipa-users] HBAC issues

Dmitri Pal dpal at redhat.com
Thu Jan 5 23:09:56 UTC 2012 

On 01/05/2012 05:07 PM, Erinn Looney-Triggs wrote:
> On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
>> On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
>>> Yes that look about right, not able to confirm 100%, but that is
>>> probably the issue.
>>
>> We're looking into it. However, I should point out that using srchost is
>> a very unreliable means of restricting access. There are numerous
>> problems with it, most notably because we have to rely on what PAM sends
>> us in the srchost field, which is not defined in the spec, so different
>> applications such as 'login' and 'sshd' sometimes put different values
>> in those fields.
>>
>> In SSSD upstream, we're defaulting to ignoring srchost rules because
>> they're 1) unreliable and 2) cause significant performance impact on
>> networks with lots of host entries.
>>
>> Our general recommendation is that if you want to restrict access from
>> specific hosts, it's usually a better idea to do this at the firewall
>> level, rather than the HBAC level.
> Well that kind of puts that whole HBAC thing on the skids doesn't it?

It still has value as you can define who can authenticate via which
services and allow only ssh or physical access but not ftp to one set of
users while enable ftp to others.

> Unfortunate that it works that way, 
We tried our best but realized that there is no good way to get source
host information reliably and also the performance was awful due to
complexity of the searches that need to be conducted in this case.

> and yes firewalling is always a good
> option.
>
> Thanks for the info,
> -Erinn
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120105/00a57e99/attachment.htm>

More information about the Freeipa-users mailing list