Per host key authentication

[Corey Boyle]

I don't believe tinc will support this level of access control.
As far as I can tell, it's all or nothing with tinc.

How you configure firewalls on the other hand is up to you.

On Tue, Oct 2, 2018 at 4:40 PM Michael Munger <mj at hph.io> wrote:
>
> Problem I want to solve:
>
> We have 3 sites: A, B, and C.
>
> Network admins should have access to all three. (this works as-is).
>
> Desktop support should only have access to their site. (Tech A to site A, Tech B to site B, Tech C to site C).
>
> How I think I can do it:
>
> Working with keys?
>
> Admin's public key will be on all the client machines, and thus, the client machines will always allow them in. But, technician's public key will only be on the client machines that they are allowed to manage.
>
> Problem: I cannot find any configs that would support this.
>
> Working with routes and subnetting?
>
> Admin would have the routes to get to all machines, techs would only have routes to get to their local subnet.
>
> Problem: 1) Mesh routing defeats this. 2)Technicians can easily change their subnet
>
> Firewalls on the client machines
>
> Client machines would block traffic from all other subnets except the admin subnet and the local subnet.
>
> Problem: I cannot control this on a per-technician basis. It's an all or nothing thing.
>
> How can I do this? (Looking at the configs, I think it's not possible... or at least not possible in the way I am thinking about it). I am open to suggestions / alternate tactics.
> --
>
> Michael Munger, dCAP, MCPS, MCNPS, MBSS
> Microsoft Certified Professional
> Microsoft Certified Small Business Specialist
> Digium Certified Asterisk Professional
> High Powered Help, Inc.
> p: 678-905-8569
> w: hph.io  e: mj at hph.io
>
>
> _______________________________________________
> tinc mailing list
> tinc at tinc-vpn.org
> https://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc