On 07/08/2013 07:44 PM, KodaK wrote:
We've just discovered that AIX does not honor HBAC rules with telnet.
ssh is fine.
no AIX expericence, but I once overheard someone that did something like
this using pam and apparently you could use the pam_permission module:
http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm
so you could add this to /etc/pam.conf
telnet auth requisite /usr/lib/security/pam_permission
file=/etc/pam.groups.telnet found=allow
and create the file /etc/pam.groups.telnet with info like this:
+@mygroup1
+@mygroup2
-@mygroup3
in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
denied access.
You could even harden it even more with good old tcp_wrappers
(hosts.allow, hosts.deny).
If you have a config tool (cfengine, puppet, whatever), this could be
quite easy to distribute once properly tested.
Totally untested :-) but maybe worth a shot.
--
groet,
natxo
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
