-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HLD for host access control #1789
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider adding a log whenever a user attempts to access the daemon remotely.
To do so use the optional shell_command
in the hosts.allow/host.deny file syntax:
daemon_list : client_list [ : shell_command ]
For example, the shell command can be a written as follows to allow logging:
spawn (echo "DENIED: access from %c" | logger -t [%d])
Extra details can be extracted based on the daemon, such as username (%u
).
More details on syntax can be found here: https://linux.die.net/man/5/hosts.allow#:~:text=and%20incompatible%20way.-,%25%20EXPANSIONS,-The%20following%20expansions
I followed your advice and tried to modify and verify it. A log entry will be generated in the However, for SSH, access logs are already recorded in |
I believe it is still useful since the |
It would be useful to also add hostname access/deny. Both for FQDN (test.example.com) and last match patterns (.example.com) |
OK, I will add it to the j2 file. |
I think that even without supporting hostname, it can still meet most usage scenarios. We won't adapt to the hostname for this time. We can add it later if needed. What do you think? |
I think that's okay, we can leave it open for the community. Great job! |
This High-Level Design (HLD) document explains the hosts access feature in SONiC. The aim is to use the hosts_access feature of the Linux system to control client access to the host. This time, the main goal is to restrict clients from accessing the host via SSH.