[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
Rob Crittenden
rcritten at redhat.com
Mon Jul 8 17:50:22 UTC 2013
KodaK wrote:
> We've just discovered that AIX does not honor HBAC rules with telnet.
> ssh is fine.
>
> [jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser
> --host=sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com> --service=sshd
> ---------------------
> Access granted: False
> ---------------------
>
> There was no telnet service by default, I created one (but I'm not sure
> I did so correctly.)
>
> [jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser
> --host=sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com> --service=telnet
> ---------------------
> Access granted: False
> ---------------------
>
> [jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser
> --host=sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com>
> Service: any
> ---------------------
> Access granted: False
> ---------------------
>
> [jebalicki at mo0033802 ~]$ ipa hbactest --user=testuser
> --host=sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com> --service=login
> ---------------------
> Access granted: False
> ---------------------
>
> But:
>
> [jebalicki at mo0033802 ~]$ telnet sla765q1
> Trying 10.200.5.137...
> Connected to sla765q1.
> Escape character is '^]'.
> telnet (sla765q1.unix.magellanhealth.com
> <http://sla765q1.unix.magellanhealth.com>)
> [login banner and blank lines removed]
> AIX Version 6
> Copyright IBM Corporation, 1982, 2011.
> login: testuser
> testuser's Password:
> -bash-3.2$ logout
> Connection closed by foreign host.
>
> AIX was configured with standard authentication at first:
>
> ROOT at sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
> Standard Aix
>
> But I changed that to add kerberos:
>
> ROOT at sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
> Kerberos 5
> Standard Aix
>
> However, all that does is cause kerberos to timeout on the invalid user
> and then fall back to allowing the user in anyway.
>
> I'm still investigating to see if this is an implementation problem, or
> if AIX is just incapable of this.
>
> I continue to lobby for turning off telnet, but there is political
> pressure to keep it open.
>
> Anyone have any ideas for things I could try?
HBAC is enforced by sssd, so no sssd, no HBAC.
I think you need to use pam_access to limit users in AIX.
rob
More information about the Freeipa-users
mailing list