[Freeipa-users] HBAC issues
Stephen Gallagher
sgallagh at redhat.com
Thu Jan 5 23:13:13 UTC 2012
On Jan 5, 2012, at 5:48 PM, Erinn Looney-Triggs <erinn.looneytriggs at gmail.com> wrote:
> On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
>> On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
>>> Yes that look about right, not able to confirm 100%, but that is
>>> probably the issue.
>>
>>
>> We're looking into it. However, I should point out that using srchost is
>> a very unreliable means of restricting access. There are numerous
>> problems with it, most notably because we have to rely on what PAM sends
>> us in the srchost field, which is not defined in the spec, so different
>> applications such as 'login' and 'sshd' sometimes put different values
>> in those fields.
>>
>> In SSSD upstream, we're defaulting to ignoring srchost rules because
>> they're 1) unreliable and 2) cause significant performance impact on
>> networks with lots of host entries.
>>
>> Our general recommendation is that if you want to restrict access from
>> specific hosts, it's usually a better idea to do this at the firewall
>> level, rather than the HBAC level.
>
> Well that kind of puts that whole HBAC thing on the skids doesn't it?
Well, target host works fine. The real problem is with accurately identifying the remote host that the connection originated from.
So you can still write rules that say "only these users can log onto these hosts".
> Unfortunate that it works that way, and yes firewalling is always a good
> option.
>
> Thanks for the info,
> -Erinn
>
>
More information about the Freeipa-users
mailing list