[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
Dmitri Pal
dpal at redhat.com
Thu Jul 11 21:42:25 UTC 2013
On 07/11/2013 05:39 PM, KodaK wrote:
> Just thought I'd pass along my work-around.
>
> I create a group for each host called hostname-access and populate
> each group with the users allowed to connect.
>
> Then, using puppet, I push out an sshd_config that has "AllowGroups:
> admins unixadmins hostname-access".
>
> The erb is: "AllowGroups: admins unixadmins <%= host %>-access"
>
> Then restart sshd.
>
> This is a lot of up-front work, but seems to be the easiest to
> maintain in the long run (at least until we can get
> AIX to honor HBAC rules.) Unfortunately, I can't have groups of
> groups -- that would make initial setup even
> easier -- but I'm used to not having everything, as you can see. :)
>
> This only works for sshd, obviously. We do currently have ftp and
> telnet open (yeah, I know) but I'm trying
> to get those turned off. In the meantime I can use tcp-wrappers to
> only allow those machines that need
> to connect. This is sub-optimal, since unauthorized users may be able
> to telnet in from those machines.
Well it is something like this that I had in mind. But you have beaten me...
Great to see you found an acceptable solution.
>
> --Jason
>
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/92dd482e/attachment.htm>
More information about the Freeipa-users
mailing list