Discussion:
[Freeipa-users] SSH access to only specific hosts useding ssh keys
Tym Rehm
2017-04-10 04:04:58 UTC
Permalink
Hey all, New user here.

I have a user "user1" that I want to allow a couple of different users
"userX and userY" to be allowed to ssh into "server1" and "server2", but
not both servers using ssh-keys.

So as an example. UserX will ssh ***@server2 with ssh-key, but I don't
want userY to be able to successfully run the same command.

I currently have userX and userY's public ssh-key attached to user1 and I
have created a HBAC rule to allow user1 to connect with ssh on both server1
and server2. This is allowing user1 to connect to both servers fine,
without a password. It also is allowing users (X & Y) to ssh ***@server1
and ***@server2.

How can stop that to restrict userX to be able to ssh as user1 on server1,
but not server2?

Do I need to do something with the keytabs or add the ssh-keys for userX to
the server1 host only?

Sorry if this is confusing and thank you for your help on this.
--
--
Do not meddle in the affairs of dragons cause you are crunchy and good with
ketchup.
Jakub Hrozek
2017-04-10 06:17:06 UTC
Permalink
Post by Tym Rehm
Hey all, New user here.
I have a user "user1" that I want to allow a couple of different users
"userX and userY" to be allowed to ssh into "server1" and "server2", but
not both servers using ssh-keys.
want userY to be able to successfully run the same command.
I currently have userX and userY's public ssh-key attached to user1 and I
have created a HBAC rule to allow user1 to connect with ssh on both server1
and server2. This is allowing user1 to connect to both servers fine,
How can stop that to restrict userX to be able to ssh as user1 on server1,
but not server2?
Do I need to do something with the keytabs or add the ssh-keys for userX to
the server1 host only?
I'm honestly not sure if I understand the problem well, but would it be
helpful to add SSH keys to an ID view that is attached to one of the
servers only?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Tym Rehm
2017-04-12 02:50:34 UTC
Permalink
So I want a user "bob" to ssh into server1 as the username of "support"
with ***@server1, but not let Bob ssh into ***@server2. I have
Bob's ssh public key added to the support user. I can block Bob from
server1 or server2 with HBAC, but I have to add support to both servers and
since Bob's keys are added to Support. The support account is able to ssh
into both servers.

I've looked into ID view, but I'm having troubles find a good document on
how to setup ID views.
Post by Tym Rehm
Post by Tym Rehm
Hey all, New user here.
I have a user "user1" that I want to allow a couple of different users
"userX and userY" to be allowed to ssh into "server1" and "server2", but
not both servers using ssh-keys.
want userY to be able to successfully run the same command.
I currently have userX and userY's public ssh-key attached to user1 and I
have created a HBAC rule to allow user1 to connect with ssh on both
server1
Post by Tym Rehm
and server2. This is allowing user1 to connect to both servers fine,
without a password. It also is allowing users (X & Y) to ssh
How can stop that to restrict userX to be able to ssh as user1 on
server1,
Post by Tym Rehm
but not server2?
Do I need to do something with the keytabs or add the ssh-keys for userX
to
Post by Tym Rehm
the server1 host only?
I'm honestly not sure if I understand the problem well, but would it be
helpful to add SSH keys to an ID view that is attached to one of the
servers only?
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
--
Do not meddle in the affairs of dragons cause you are crunchy and good with
ketchup.
Jakub Hrozek
2017-04-12 07:20:53 UTC
Permalink
Post by Tym Rehm
So I want a user "bob" to ssh into server1 as the username of "support"
Bob's ssh public key added to the support user. I can block Bob from
server1 or server2 with HBAC, but I have to add support to both servers and
since Bob's keys are added to Support. The support account is able to ssh
into both servers.
Yeah, I think id views could help here, but I haven't tested it myself.
Post by Tym Rehm
I've looked into ID view, but I'm having troubles find a good document on
how to setup ID views.
Does this help?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/id-views.html
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...