On Jan 5, 2012, at 3:14 PM, "Stephen Gallagher" <[email protected]> wrote:
> > > On Jan 5, 2012, at 5:48 PM, Erinn Looney-Triggs > <[email protected]> wrote: > >> On 01/05/2012 11:54 AM, Stephen Gallagher wrote: >>> On Thu, 2012-01-05 at 11:48 -0900, Erinn Looney-Triggs wrote: >>>> Yes that look about right, not able to confirm 100%, but that is >>>> probably the issue. >>> >>> >>> We're looking into it. However, I should point out that using srchost is >>> a very unreliable means of restricting access. There are numerous >>> problems with it, most notably because we have to rely on what PAM sends >>> us in the srchost field, which is not defined in the spec, so different >>> applications such as 'login' and 'sshd' sometimes put different values >>> in those fields. >>> >>> In SSSD upstream, we're defaulting to ignoring srchost rules because >>> they're 1) unreliable and 2) cause significant performance impact on >>> networks with lots of host entries. >>> >>> Our general recommendation is that if you want to restrict access from >>> specific hosts, it's usually a better idea to do this at the firewall >>> level, rather than the HBAC level. >> >> Well that kind of puts that whole HBAC thing on the skids doesn't it? > > Well, target host works fine. The real problem is with accurately identifying > the remote host that the connection originated from. > > So you can still write rules that say "only these users can log onto these > hosts". If you absoluelty must use it I have found that access.conf works well enough to limit srchost ssh access: http://linux.die.net/man/5/access. > >> Unfortunate that it works that way, and yes firewalling is always a good >> option. >> >> Thanks for the info, >> -Erinn >> >> > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
