#3310 [RFE] Add a special HBAC service to enable/disable shell access
Closed: wontfix 5 years ago Opened 11 years ago by simo.

With HBAC we can control exactly which service to allow (PAM based) however we do not have a way to express that we want to allow a user to use ssh but not have shell access.
This could be done using a special HABC rule where we create a special service, call it '-shell' that would cause the HBAC engine to override the normal user shell and set it to nologin.

This would allow to create rules where SSH logins are allowed and when -shell is also set the user will not have shell access. This is useful for situations where someone wants to allow ssh tunnels and/or sftp but not allow interactive shells on per-server basis.

It doesn't have to be an HABC rule so better ideas are welcome as comments of this RFE.


Metadata Update from @simo:
- Issue assigned to someone
- Issue set to the milestone: Ticket Backlog

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata