Just thought I'd pass along my work-around. I create a group for each host called hostname-access and populate each group with the users allowed to connect.
Then, using puppet, I push out an sshd_config that has "AllowGroups: admins unixadmins hostname-access". The erb is: "AllowGroups: admins unixadmins <%= host %>-access" Then restart sshd. This is a lot of up-front work, but seems to be the easiest to maintain in the long run (at least until we can get AIX to honor HBAC rules.) Unfortunately, I can't have groups of groups -- that would make initial setup even easier -- but I'm used to not having everything, as you can see. :) This only works for sshd, obviously. We do currently have ftp and telnet open (yeah, I know) but I'm trying to get those turned off. In the meantime I can use tcp-wrappers to only allow those machines that need to connect. This is sub-optimal, since unauthorized users may be able to telnet in from those machines. --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
