Thanks, that looks like potentially a great solution. (It pays to RTFM!)
I couldn't get it to work on my first try in my test env, but will keep at
it.
The pubkey works fine when attached to the "real" user, so I know the
keypair is good.
But if I remove the key from the user, and try moving it to the idview
override, it doesn't work.
On Fri, Feb 16, 2018 at 11:01 AM, Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On pe, 16 helmi 2018, Rob Brown via FreeIPA-users wrote:
> Hi,
> We recently moved from an "old school" setup where we would push different
> pubkeys for the same user out to specific hosts in different environments
> using configuration management. Likewise, the matching private keys would
> only exist in their requisite environment.
> This presents a new problem with freeIPA (which serves both environments),
> in that pubkeys are now attached to the user, and if we put both the
> "prod"
> and "preprod" pubkeys in the user object, either key will work for that
> user on any server.
> I know the "right answer" probably lies in HBAC rules, but trying to look
> for a simple solution that would restrict which key can be used on which
> server. I read about the "fromhost" option, but that is the opposite of
> what I am looking for. I would like to be able to say "this key can only
> be
> used to authenticate user foo to xyz host".
> Can someone help steer me in the right direction? I'm not seeing it.
>
FreeIPA supports ID views which can be assigned to specific hosts or
host groups. You can have ID overrides for users in those views that
contain
specific public SSH keys. These public SSH keys will only be noticed by
SSSD running on the hosts that have this ID view assigned.
ID Overrides, as their name suggests, override existing attribute
values. Thus, a public SSH key K1 assigned to a userA globally and
overridden in an ID Override in an ID view viewB by a public SSH key K2
would not be visible on the hosts where viewB is applied. Instead, these
hosts will only see K2.
This may be your solution.
https://access.redhat.com/documentation/en-us/red_hat_enterp
rise_linux/7/html/linux_domain_identity_authentication_and_
policy_guide/id-views
--
/ Alexander Bokovoy