[Freeipa-users] HBAC issues
JR Aquino
JR.Aquino at citrix.com
Fri Jan 6 04:22:53 UTC 2012
On Jan 5, 2012, at 3:14 PM, "Stephen Gallagher" <sgallagh at redhat.com> wrote:
>
>
> On Jan 5, 2012, at 5:48 PM, Erinn Looney-Triggs <erinn.looneytriggs at gmail.com> wrote:
>
>> On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
>>> On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
>>>> Yes that look about right, not able to confirm 100%, but that is
>>>> probably the issue.
>>>
>>>
>>> We're looking into it. However, I should point out that using srchost is
>>> a very unreliable means of restricting access. There are numerous
>>> problems with it, most notably because we have to rely on what PAM sends
>>> us in the srchost field, which is not defined in the spec, so different
>>> applications such as 'login' and 'sshd' sometimes put different values
>>> in those fields.
>>>
>>> In SSSD upstream, we're defaulting to ignoring srchost rules because
>>> they're 1) unreliable and 2) cause significant performance impact on
>>> networks with lots of host entries.
>>>
>>> Our general recommendation is that if you want to restrict access from
>>> specific hosts, it's usually a better idea to do this at the firewall
>>> level, rather than the HBAC level.
>>
>> Well that kind of puts that whole HBAC thing on the skids doesn't it?
>
> Well, target host works fine. The real problem is with accurately identifying the remote host that the connection originated from.
>
> So you can still write rules that say "only these users can log onto these hosts".
If you absoluelty must use it I have found that access.conf works well enough to limit srchost ssh access:
http://linux.die.net/man/5/access.
>
>> Unfortunate that it works that way, and yes firewalling is always a good
>> option.
>>
>> Thanks for the info,
>> -Erinn
>>
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list