[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
Dmitri Pal
dpal at redhat.com
Tue Jul 9 22:43:55 UTC 2013
On 07/09/2013 06:01 PM, KodaK wrote:
>
>
> On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 07/09/2013 03:57 PM, KodaK wrote:
>>
>>
>> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden
>> <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>
>>
>> HBAC is enforced by sssd, so no sssd, no HBAC.
>>
>> I think you need to use pam_access to limit users in AIX.
>>
>>
>> I have some work-arounds now, but I'd like to find a way to
>> automate them. What
>> I need is a way to ask IPA "who is allowed to access this
>> particular server?"
>>
>> The goal is go just get a list of allowed users, then there are
>> various mechanisms
>> I can employ to allow access to only the listed users. I plan to
>> do this from the
>> puppet master so I can push the configs from there. I have
>> ipa-admintools and
>> openldap-clients installed on the puppet master.
>>
>> Right now I'm iterating through all the hbacrules and grepping
>> for the server in
>> question, then getting the details of that rule. This is a lot
>> of requests.
>
>
> A valid RFE I would say...
> May be it should be an enhancement for the hbac-test tool?
> However getting a list of the users verbatim is probably costly too.
> May be it would make sense for you to create a group of AIX users
> in IPA and then fetch it from the puppet master traverse its
> memberOf attribute for list of members?
> It will not use HBAC but still would provide some access control
> optimization.
> Will that solve the problem for you?
>
>
> I thought about that, but there are some drawbacks. I don't have "a"
> group of AIX users that access all AIX machines. I have a bunch of
> different AIX machines with different user sets. I can create a group
> for each host called hostname_access -- but then I'm just replicating
> (quite inefficently) information that already exists in the HBAC
> rules. I can probably create one rule per host in HBAC and query that
> particular rule for the allowed users, but this loses the benefit of
> being able to use host and user groups. This is probably where we'll
> end up, though, since it's the least-effort-to-implement (if worst to
> maintain) option.
>
> How does sssd determine if a user is allowed access? Another option
> may be to replicate that functionality in a program or script on the
> puppet master and have it populate some files once a day or so.
> Alternately we could write a PAM module for AIX that replicates that
> functionality. Right now, though, I have no idea how it's done in
> SSSD (a pointer to where it is in the code would be helpful, even.)
> --
> The government is going to read our mail anyway, might as well make it
> tough for them. GPG Public key ID: B6A1A7C6
SSSD and IPA share the same library.
I do not remember the name of it but it takes input: user, host, service
and determines whether user is allowed or not.
It is written in C. So it probably can be ported to AIX.
Here is another option, I do not know if that would work for you.
It really depends on your setup.
You can allow SSH into AIX machines only from a corresponding gateway
machine.
Say you have 5 classes of AIX machines then you will have 5 gateway
machines.
The access to a set of AIX machines will be restricted to SSH from a
gateway system.
Logging to a gateway system would be protected with HBAC.
Not the best but yet an alternative approach.
If you go with the "implement yourself approach" on the puppet master
you should taker a look at the code of the library and see how it does
things. It might be a good start.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130709/c213cc77/attachment.htm>
More information about the Freeipa-users
mailing list