[Freeipa-users] HBAC issues

[JR Aquino]

On Jan 5, 2012, at 3:14 PM, "Stephen Gallagher" <sgallagh at redhat.com> wrote:

> 
> 
> On Jan 5, 2012, at 5:48 PM, Erinn Looney-Triggs <erinn.looneytriggs at gmail.com> wrote:
> 
>> On 01/05/2012 11:54 AM, Stephen Gallagher wrote:
>>> On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote:
>>>> Yes that look about right, not able to confirm 100%, but that is
>>>> probably the issue.
>>> 
>>> 
>>> We're looking into it. However, I should point out that using srchost is
>>> a very unreliable means of restricting access. There are numerous
>>> problems with it, most notably because we have to rely on what PAM sends
>>> us in the srchost field, which is not defined in the spec, so different
>>> applications such as 'login' and 'sshd' sometimes put different values
>>> in those fields.
>>> 
>>> In SSSD upstream, we're defaulting to ignoring srchost rules because
>>> they're 1) unreliable and 2) cause significant performance impact on
>>> networks with lots of host entries.
>>> 
>>> Our general recommendation is that if you want to restrict access from
>>> specific hosts, it's usually a better idea to do this at the firewall
>>> level, rather than the HBAC level.
>> 
>> Well that kind of puts that whole HBAC thing on the skids doesn't it?
> 
> Well, target host works fine. The real problem is with accurately identifying the remote host that the connection originated from.
> 
> So you can still write rules that say "only these users can log onto these hosts".

If you absoluelty must use it I have found that access.conf works well enough to limit srchost ssh access:
 
http://linux.die.net/man/5/access.

> 
>> Unfortunate that it works that way, and yes firewalling is always a good
>> option.
>> 
>> Thanks for the info,
>> -Erinn
>> 
>> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users