I'm looking to setup HBAC for linux servers. People currently login to
the hosts(via ssh) using ssh keys(no password).
I was thinking that one way to control access is by denying the
sshPublicKey(or even the uid, many options here) from being visible on
the host by default, and creating an aci that allows the attribute to be
visible based on the host. The visibility would be controlled by
applying the aci to a group, and if the person is a member, then it's
allowed. This does not work as I hoped though, since there is no bind
performed as the user when the user logs in to the host.
My questions.. 1) if is this a sane approach, how might I get around
this issue? 2) If this is not a good way, what might be a better way to
accomplish this?
The caveats are I don't want to rely on posix group membership in the
allowgroups in sshd.conf, nor do I want to require passwords to login
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
