[Freeipa-users] Deny SSH access from selected host
William Muriithi
william.muriithi at gmail.com
Wed Feb 5 22:17:29 UTC 2014
>> Would it be possible to deny ssh access per host without pulling a host
off
>> FreeIPA management?
>
> from-host part of the rule is not enforced by default due to the fact
> that it is pretty easy to fake that one on connection.
>
> You can try to create more specific rules allowing access to the
> systems. With allow_all rule disabled these would help -- when there is
> no rule for that user to access an SSH service on the host, it will not
> be able to do so.
>
> Are you using allow_all rule right now?
>
Yes, the all_allow rule was in place. I didn't see the allow all from the
browser though and wasn't aware of it either.
After I disabled it, I was able to achieve selective access. Thank you
very much.
> http://www.freeipa.org/page/Howto/HBAC_and_allow_all
> --
> / Alexander Bokovoy
William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140205/8ede9e7d/attachment.htm>
More information about the Freeipa-users
mailing list