IP ACL for per-user access?

Has anyone ever created a method to restrict access for users by IP? It
has never made me comfortable that superuser access is possible from
anywhere. I can mitigate the risk with tools like Fail2Ban, but I’d
just as soon lock the interface down so they can’t login at all except
from trusted sources. Reviewing RT 4.0 code, seems like the best method
to override would be RT::User::HasPassword since it is short and least
likely to be changed version to version. Hoping someone else has
already done this or similar and has some advice to share. Otherwise, I
shall just plow ahead and post my solution on the wiki!

Thanks,
MarkMark D. Nagel, CCIE #3177 mnagel@willingminds.com
Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
cell: 949-279-5817, desk: 714-495-4001, fax: 714-646-8277

** For faster support response time, please
** email support@willingminds.com or call 714-495-4000

Has anyone ever created a method to restrict access for users by IP? It
has never made me comfortable that superuser access is possible from
anywhere. I can mitigate the risk with tools like Fail2Ban, but I’d
just as soon lock the interface down so they can’t login at all except
from trusted sources. Reviewing RT 4.0 code, seems like the best method
to override would be RT::User::HasPassword since it is short and least
likely to be changed version to version. Hoping someone else has
already done this or similar and has some advice to share. Otherwise, I
shall just plow ahead and post my solution on the wiki!

There are better places to do that using callbacks rather than
overriding anything. Look at the callbacks available in
RT::Interface::Web::HandleRequest and the way they’re used in the
various RT-Authen-* extensions.

If you don’t need it to be user-specific, just do it at the Apache level.

Thomas

There are better places to do that using callbacks rather than
overriding anything. Look at the callbacks available in
RT::Interface::Web::HandleRequest and the way they’re used in the
various RT-Authen-* extensions.

If you don’t need it to be user-specific, just do it at the Apache level.

I do want it to be user specific, though, or at least role specific
(SuperUser, for example). I will check those out, though – I thought
of doing a callback, but couldn’t quite see where it would be best
performed, so I will definitely review the module samples.

Thanks!

MarkMark D. Nagel, CCIE #3177 mnagel@willingminds.com
Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
cell: 949-279-5817, desk: 714-495-4001, fax: 714-646-8277

** For faster support response time, please
** email support@willingminds.com or call 714-495-4000