On Tue, Sep 26, 2017 at 09:54:40AM +0000, Alessandro Perucchi via FreeIPA-users wrote:
Hello,
We are using Freeipa to our satisfaction.
We are trying to create a bastion/jumphost/... and in order to do it, we want to protect
the bastion so that nobody can access it directly (except of course some admin people).
And at the same time, we want that the users access some hosts through the bastion via
ssh proxy.
Manually it works as expected. Let say that I have a user `testuser`, this user has a ssh
key like this one `ssh-ed25519 AAAAC3N testuser(a)example.com`.
So on the bastion, I will create the following entry in the authorized_keys for the
testuser:
no-pty,no-X11-forwarding,command="/bin/echo Not-Permitted" ssh-ed25519 AAAAC3N
testuser(a)example.com
And in the other hosts, I will use the ssh key:
ssh-ed25519 AAAAC3N testuser(a)example.com
How can I give some SSH key restrictions per host? From what I’ve seen in freeipa, you
can either give the restriction in the ssh key for the user, as the first entry or the
second, and it will apply to every server without any possibility to customization.
An extension to that would be, If I am connecting from our internal network
(192.168.0.0/24), then you could connect to the bastion directly, but if you are outside
the internal network, then you cannot... and in that case, the ssh entries in
authorized_keys would be something like that:
from=”192.168.0.0/24” ssh-ed25519 AAAAC3N testuser(a)example.com
from=”!192.168.0.0/24”,no-pty,no-X11-forwarding,command="/bin/echo
Not-Permitted" ssh-ed25519 AAAAC3N testuser(a)example.com
Is there a way to do that in freeipa? Because I would like to avoid as much as possible
to handle the ssh keys “manually” outside from freeipa...
Thank you very much in advance for your help.
Regards,
Alessandro
Did you consider creating an ID override for this host and only use the
key in this override?