26 lines
803 B
Markdown
26 lines
803 B
Markdown
# Bastion Hosts
|
|
|
|
Access for the `root` user can be limited to be only allowed from certain bastion hosts.
|
|
|
|
By default this is enabled except for a few networks, see [reponsible Puppet code](https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/manifests/networking/params.pp) for details.
|
|
|
|
You may alternatively control the use of bastion hosts yourself by setting in Hiera the boolean value `aaa::user_bastions`.
|
|
|
|
The bastion hosts can be listed in the Hiera key `aaa:bastions`:
|
|
|
|
```
|
|
aaa::bastions:
|
|
- 'x05la-gw.psi.ch'
|
|
```
|
|
|
|
which then will override the default value
|
|
```
|
|
aaa::bastions:
|
|
- 'wmgt01.psi.ch'
|
|
- '129.129.190.25' # IP of wmgt01.psi.ch
|
|
- 'wmgt02.psi.ch'
|
|
- '129.129.190.104' # IP of wmgt02.psi.ch
|
|
```
|
|
|
|
**Caution**: an empty list will allow unrestricted login again!
|