[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Dmitri Pal dpal at redhat.com
Thu Jul 11 21:40:25 UTC 2013 

On 07/10/2013 08:34 PM, KodaK wrote:
>
>
> On Wed, Jul 10, 2013 at 5:00 PM, natxo asenjo <natxo.asenjo at gmail.com
> <mailto:natxo.asenjo at gmail.com>> wrote:
>
>     On 07/08/2013 07:44 PM, KodaK wrote:
>
>         We've just discovered that AIX does not honor HBAC rules with
>         telnet.
>           ssh is fine.
>
>
>     no AIX expericence, but I once overheard someone that did
>     something like
>     this using pam and apparently you could use the pam_permission module:
>
>     http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm
>
>     so you could add this to /etc/pam.conf
>
>     telnet auth requisite /usr/lib/security/pam_permission
>     file=/etc/pam.groups.telnet found=allow
>
>     and create the file /etc/pam.groups.telnet with info like this:
>
>     + at mygroup1
>     + at mygroup2
>     - at mygroup3
>
>     in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
>     denied access.
>
>     You could even harden it even more with good old tcp_wrappers
>     (hosts.allow, hosts.deny).
>
>     If you have a config tool (cfengine, puppet, whatever), this could be
>     quite easy to distribute once properly tested.
>
>     Totally untested :-) but maybe worth a shot.
>
>
> Thanks.  I'm stuck though.
>
> IBMs insistence on doing everything Not Unix in AIX is frustrating my
> efforts.
>
> 1) they don't use straight up PAM.  They have some older version they
> include with the OS.
> 2) their version has very few modules that come with it.  It does,
> however, have pam_permissions,
>     but does not include pam_krb5.
>
> Here's the list:
>
> pam_aix          pam_allowroot    pam_mkuserhome   pam_prohibit
> pam_allow        pam_ckfile       pam_permission   pam_rhosts_auth
>
> That's a far cry from the 69 or so pam modules I see on Linux boxes.
>
> Before I can move on I have to get pam_krb5 to build for AIX and
> that's proving to be very difficult.
>
> I'm hoping the pam_hbac thing will pan out.
>
> I'm about ready to just yank Kerberos from the AIX machines and fall
> back to local authentication.
> The actual AIX admins seem to have no interest in helping me, so they
> can reap what they
> sow with their inaction and have to manage individual users on
> individual boxes.

How complex are your HBAC rules? Are they very dynamic or pretty static?
We might be able to tackle it from that side and come with something
custom that would work for your case but not in general.
I think PWT mail for the real data would be appropriate.

>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130711/a37e71d5/attachment.htm>

More information about the Freeipa-users mailing list