[Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts

[Joe Linoff]

Hi:

 

I am a newbie that is trying out FreeIPA for the first time. So far I am
extremely impressed with this system but I ran into a problem that I
need some help with. I am trying to figure out how to HBAC to restrict a
set of users to a specific set of hosts but I am not having any success.

 

Here is the problem statement:

 

I have 2 users: "user1" and "user2" that should only be able to access
the host "foobar" on my network. There are many other possible hosts
(like "wombat") that they cannot access. They can login from anywhere
using "ssh". 

 

The goal is to restrict students to a specific set of machines.

 

What I tried to do was this:

 

1.      Create a user group called "restricted-users" which I could add
users to.

2.      Create a HBAC rule named "restricted-users" that

a.      Defines the host I want to allow them access to
("restricted-host").

b.      Defines the user group that is affected by this rule
("restricted-users").

c.      Defines the services they are allowed to use on that host
(including login).

3.      Create a user named "user1" that is enrolled in the
"restricted-users" group.

 

I then tried this experiment:

 

1.      ssh -Y user1 at foobar

a.      It worked like a charm. The login worked correctly.

2.      ssh -Y user1 at wombad

a.      It also worked like a charm but in this case it was undesired
behavior.

 

I am sure that I am missing something really obvious. Any help would be
greatly appreciated.

 

Errata:

1.      OS: CentOS 6.2

2.      FreeIPA: v2.1.3 (9el6)

 

Thank you,

 

Joe

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120602/d5815ea3/attachment.htm>