[Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts

Martin Kosek mkosek at redhat.com
Mon Jun 4 06:39:40 UTC 2012 

On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote:
> Hi:
> 
>  
> 
> I am a newbie that is trying out FreeIPA for the first time. So far I
> am extremely impressed with this system but I ran into a problem that
> I need some help with. I am trying to figure out how to HBAC to
> restrict a set of users to a specific set of hosts but I am not having
> any success.
> 
>  
> 
> Here is the problem statement:
> 
>  
> 
> I have 2 users: “user1” and “user2” that should only be able to access
> the host “foobar” on my network. There are many other possible hosts
> (like “wombat”) that they cannot access. They can login from anywhere
> using “ssh”. 
> 
>  
> 
> The goal is to restrict students to a specific set of machines.
> 
>  
> 
> What I tried to do was this:
> 
>  
> 
> 1.      Create a user group called “restricted-users” which I could
> add users to.
> 
> 2.      Create a HBAC rule named “restricted-users” that
> 
> a.      Defines the host I want to allow them access to
> (“restricted-host”).
> 
> b.      Defines the user group that is affected by this rule
> (“restricted-users”).
> 
> c.      Defines the services they are allowed to use on that host
> (including login).
> 
> 3.      Create a user named “user1” that is enrolled in the
> “restricted-users” group.
> 
>  
> 
> I then tried this experiment:
> 
>  
> 
> 1.      ssh –Y user1 at foobar
> 
> a.      It worked like a charm. The login worked correctly.
> 
> 2.      ssh –Y user1 at wombad
> 
> a.      It also worked like a charm but in this case it was undesired
> behavior.
> 
>  
> 
> I am sure that I am missing something really obvious. Any help would
> be greatly appreciated.
> 
>  
> 
> Errata:
> 
> 1.      OS: CentOS 6.2
> 
> 2.      FreeIPA: v2.1.3 (9el6)
> 
>  
> 
> Thank you,
> 
>  
> 
> Joe
> 

Hello Joe,

did you disable default allow_all HBAC rule?

# ipa hbacrule-show allow_all
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE

With this rule disabled, the policy you described should be properly
enforced. When testing HBAC rules you may want to try CLI and Web UI
interface to hbactest command, which can help you to test who can use
what service on which machine and also which rules did match when the
access was allowed.

HTH,
Martin

More information about the Freeipa-users mailing list