[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
KodaK
sakodak at gmail.com
Mon Jul 8 17:44:13 UTC 2013
We've just discovered that AIX does not honor HBAC rules with telnet. ssh
is fine.
[jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=sshd
---------------------
Access granted: False
---------------------
There was no telnet service by default, I created one (but I'm not sure I
did so correctly.)
[jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=telnet
---------------------
Access granted: False
---------------------
[jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com
Service: any
---------------------
Access granted: False
---------------------
[jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=login
---------------------
Access granted: False
---------------------
But:
[jebalicki at mo0033802 ~]$ telnet sla765q1
Trying 10.200.5.137...
Connected to sla765q1.
Escape character is '^]'.
telnet (sla765q1.unix.magellanhealth.com)
[login banner and blank lines removed]
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: testuser
testuser's Password:
-bash-3.2$ logout
Connection closed by foreign host.
AIX was configured with standard authentication at first:
ROOT at sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Standard Aix
But I changed that to add kerberos:
ROOT at sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Kerberos 5
Standard Aix
However, all that does is cause kerberos to timeout on the invalid user and
then fall back to allowing the user in anyway.
I'm still investigating to see if this is an implementation problem, or if
AIX is just incapable of this.
I continue to lobby for turning off telnet, but there is political pressure
to keep it open.
Anyone have any ideas for things I could try?
Thanks,
--Jason
--
The government is going to read our mail anyway, might as well make it
tough for them. GPG Public key ID: B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130708/cbf70860/attachment.htm>
More information about the Freeipa-users
mailing list