[Freeipa-users] Adding an IPA user that can't SSH?
Dmitri Pal
dpal at redhat.com
Fri Jan 25 16:43:58 UTC 2013
On 01/25/2013 11:28 AM, Matthew Barr wrote:
> I need to add a few users that can authenticate with IPA (LDAP, in
> some cases, kerberos in others), but can't SSH into hosts.
>
> I'm guessing the best option is to use some sort of group restriction
> on the SSH /host side, vs anything else in IPA?
>
> Thanks!
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
You can define Host-Based-Access-Control policies. By default any user
is allowed to authenticate anywhere.
There are no deny HBAC rules so you need to define which users are
allowed to do what in your environment.
HBAC rules are enforced by SSSD. This means that if you have an app that
uses LDAP or kerberos auth bypassing pam stack the HBAC rules do not apply.
You need to think it through very well because once you disable the
default rule you might get into the situation where the legit
authentication of the legit users is denied becuase you have not created
a rule allowing those users to login.
AFAIK there is also some kind of "no shell" capability in SSH which
might be useful in this case but I am not a specialist in this area.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130125/6a959025/attachment.htm>
More information about the Freeipa-users
mailing list