HLD for host access control #1789
Conversation
There was a problem hiding this comment.
Consider adding a log whenever a user attempts to access the daemon remotely.
To do so use the optional shell_command in the hosts.allow/host.deny file syntax:
daemon_list : client_list [ : shell_command ]
For example, the shell command can be a written as follows to allow logging:
spawn (echo "DENIED: access from %c" | logger -t [%d])
Extra details can be extracted based on the daemon, such as username (%u).
More details on syntax can be found here: https://linux.die.net/man/5/hosts.allow#:~:text=and%20incompatible%20way.-,%25%20EXPANSIONS,-The%20following%20expansions
I followed your advice and tried to modify and verify it. A log entry will be generated in the However, for SSH, access logs are already recorded in |
|
I believe it is still useful since the |
|
It would be useful to also add hostname access/deny. Both for FQDN (test.example.com) and last match patterns (.example.com) |
OK, I will add it to the j2 file. |
I think that even without supporting hostname, it can still meet most usage scenarios. We won't adapt to the hostname for this time. We can add it later if needed. What do you think? |
|
I think that's okay, we can leave it open for the community. Great job! |
This High-Level Design (HLD) document explains the hosts access feature in SONiC. The aim is to use the hosts_access feature of the Linux system to control client access to the host. This time, the main goal is to restrict clients from accessing the host via SSH.