Task #7601
closed
Added by Nico Schottelius almost 5 years ago.
Updated about 2 years ago.
Description
- Authenticated against our ldap
- Allows user to connect to our IPv6 networks
The ways for users to use it:
- via ProxyCommand (some might be able to use that)
I've setup this some time ago and it basically needs a restriction on not having a shell.
Ping me before starting on this - I've a 95% solution already.
- Status changed from New to Seen
Proxycommand w/ windows exists in putty and usually uses plink - more details soon.
@Nico Schottelius please dump anything you want to say on the subject on this issue. I'll do without next time I go over this issue :-)
Very easy:
- ssh config ("MatchUser != root") disallowing all commands
- configuring the OS or PAM to authenticate against ldap (subtree of dc=ungleich,dc=ch)
- Basically disallowing shell
- nft rules to allow to jump to 2a0a:e5c0::/29 and 2a09:2940::/29
So from the outside/black box test:
- ssh -w in ~/.ssh/config with our jump host should work
- ssh user@jumphost should not work / close the shell
- Assignee deleted (
Timothée Floure)
- Status changed from Seen to Rejected
Not much requested - dropping it for the moment
Also available in: Atom
PDF