Suggestion from Naxto Asenjo on freeipa-users:
the default hbac rule 'allow_all' is nice for testing, but for a production environment I am not so sure
We do not want our users getting a shell in our kdc servers or in the database servers for instance. We want them to use the postgresql service, but not login the database server with a shell. Many more examples are conceivable, of course.
Is it possible to have this policy adapted to 'everything but ssh' for instance? That is, disable ssh logins unless explicitely allowed by another policy. This would be the equivalent of 'Remote Desktop Users' in an AD domain. Uses may login at the console everywhere (their workstations), but if they need to login interactively in a server then they need to be a member of this group. This does not prevent them from using other resources like shares, printers, e-mail, databases, ...
I am just afraid that unless this becomes the default during the installation, most ipa environments will stay like this which could be an unexpected security problem. No one but kerberos admins should have shell access to the kdc in a kerberos realm.
The rule itself should be relatively straightforward but managing replicas may be different matter.
This ticket is somewhat related to ticket #2263.
For brand new installs only.
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: Future Releases
Login to comment on this ticket.