[rhn-users] Access control using RHN

[Felipe Pereira]

Hello,

I was wondering how do people use RHN to do access control.

I'm interested in hosts.allow but I'd like to hear about other types
(pam_access, iptables, etc).

Consider the following scenario:
- two classes of hosts, C1 and C2 (each class has a configuration channel)
- only a group of stations/people G1 may login on C1
- I want a group of stations/people G2 besides G1 to access C2

How can C2 inherit access control of C1 appending new items to it? Consider
that files from a conf. channel override channels below it.

I'm doing this way: (just wanted to know if you see a flaw or a better way
to do it)

The "base" conf. channel has these files:
/etc/hosts.allow:
sshd: /etc/hosts.d/G1-sshd.allow
sshd: /etc/hosts.d/G2-sshd.allow

/etc/hosts.deny:
sshd: ALL

/etc/hosts.d/G1-sshd.allow:
# empty
/etc/hosts.d/G2-sshd.allow:
# empty

Now we create channels "G1-allow" and "G2-allow" which will be used above
the base class (top priority). G1-allow has the file
/etc/hosts.d/G1-sshd.allow with the respective hosts. Same for G2-allow.

Base must have /etc/hosts.d/*.allow empty so we can disable login when we
unsubscribe hosts from a Gn-allow channel, by deploying the empty base file.

Now I can choose to allow for any combinations of G1 and G2 to C1 and C2.
It's not really inheritance, but it's easy to see which group of hosts can
login to which class.

-- 
Felipe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20110331/c32ca428/attachment.htm>