Quote:
Originally Posted by SteveT
Is such a syntax allowable, is it recommended, is there a better (more secure) way of doing it etc?
|
It is technically allowable if you respect the requirements and limitations. See "man 5 hosts_access" start at "One should not get carried away with username lookups" (which kinda sets the tone). As you can see from that lookups are unreliable and not trustworthy, as goes for tcp_wrappers in general wrt its susceptibility to spoofing.
If you want it to work for roaming users it depends on what type of access you need to provide them with. If it's just shell logins then forcing OpenSSH to only accept pubkey auth (no passwords) will do. If it's web-based services you could make it switch to only provide services over TLS/SSL (or wedge a stunnel in front of it, or use SSH's forwarding?). If you need to provide more than that you may need something like OpenVPN. It depends on what type of access you need to provide them with and your approach (lazily providing everything *and* the kitchensink or restricting access to only those who need it).
If you add details we'll probably be able to work out advice tailored to your specific setup.