Hi,
We recently moved from an "old school" setup where we would push different
pubkeys for the same user out to specific hosts in different environments
using configuration management. Likewise, the matching private keys would
only exist in their requisite environment.
This presents a new problem with freeIPA (which serves both environments),
in that pubkeys are now attached to the user, and if we put both the "prod"
and "preprod" pubkeys in the user object, either key will work for that
user on any server.
I know the "right answer" probably lies in HBAC rules, but trying to look
for a simple solution that would restrict which key can be used on which
server. I read about the "fromhost" option, but that is the opposite of
what I am looking for. I would like to be able to say "this key can only be
used to authenticate user foo to xyz host".
Can someone help steer me in the right direction? I'm not seeing it.
Show replies by date