Per host key authentication

Michael Munger mj at hph.io
Tue Oct 2 22:33:20 CEST 2018 

*Problem I want to solve:*

We have 3 sites: A, B, and C.

Network admins should have access to all three. (this works as-is).

Desktop support should only have access to their site. (Tech A to site
A, Tech B to site B, Tech C to site C).

*How I think I can do it:*

Working with keys?

    Admin's public key will be on all the client machines, and thus, the
    client machines will always allow them in. But, technician's public
    key will only be on the client machines that they are allowed to manage.

    Problem: I cannot find any configs that would support this.

*Working with routes and subnetting?*

    Admin would have the routes to get to all machines, techs would only
    have routes to get to their local subnet.

    Problem: 1) Mesh routing defeats this. 2)Technicians can easily
    change their subnet

*Firewalls on the client machines*

    Client machines would block traffic from all other subnets except
    the admin subnet and the local subnet.

    Problem: I cannot control this on a per-technician basis. It's an
    all or nothing thing.

How can I do this? (Looking at the configs, I think it's not possible...
or at least not possible in the way I am thinking about it). I am open
to suggestions / alternate tactics.
-- 

	
Michael Munger, dCAP, MCPS, MCNPS, MBSS
*Microsoft Certified Professional*
*Microsoft Certified Small Business Specialist*
*Digium Certified Asterisk Professional*
*High Powered Help, Inc.*
p: 	678-905-8569
w: 	hph.io <https://hph.io>  e: mj at hph.io <mailto:mj at hph.io>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20181002/aa0ab9eb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bjejhfpfhafagdln.png
Type: image/png
Size: 738 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20181002/aa0ab9eb/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 1757 bytes
Desc: not available
URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20181002/aa0ab9eb/attachment.key>

More information about the tinc mailing list