[Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts
Joe Linoff
jlinoff at tabula.com
Mon Jun 4 13:21:04 UTC 2012
Thank you both. Turning off allow_all did the trick. Now everything works perfectly.
This tool rocks!
Thanks,
Joe
-----Original Message-----
From: Stephen Gallagher [mailto:sgallagh at redhat.com]
Sent: Monday, June 04, 2012 5:10 AM
To: Martin Kosek
Cc: Joe Linoff; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts
On Mon, 2012-06-04 at 08:39 +0200, Martin Kosek wrote:
> On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote:
> > Hi:
> >
> >
> >
> > I am a newbie that is trying out FreeIPA for the first time. So far
> > I am extremely impressed with this system but I ran into a problem
> > that I need some help with. I am trying to figure out how to HBAC to
> > restrict a set of users to a specific set of hosts but I am not
> > having any success.
> >
> >
> >
> > Here is the problem statement:
> >
> >
> >
> > I have 2 users: “user1” and “user2” that should only be able to
> > access the host “foobar” on my network. There are many other
> > possible hosts (like “wombat”) that they cannot access. They can
> > login from anywhere using “ssh”.
> >
> >
> >
> > The goal is to restrict students to a specific set of machines.
> >
> >
> >
> > What I tried to do was this:
> >
> >
> >
> > 1. Create a user group called “restricted-users” which I could
> > add users to.
> >
> > 2. Create a HBAC rule named “restricted-users” that
> >
> > a. Defines the host I want to allow them access to
> > (“restricted-host”).
> >
> > b. Defines the user group that is affected by this rule
> > (“restricted-users”).
> >
> > c. Defines the services they are allowed to use on that host
> > (including login).
> >
> > 3. Create a user named “user1” that is enrolled in the
> > “restricted-users” group.
> >
> >
> >
> > I then tried this experiment:
> >
> >
> >
> > 1. ssh –Y user1 at foobar
> >
> > a. It worked like a charm. The login worked correctly.
> >
> > 2. ssh –Y user1 at wombad
> >
> > a. It also worked like a charm but in this case it was undesired
> > behavior.
> >
> >
> >
> > I am sure that I am missing something really obvious. Any help would
> > be greatly appreciated.
> >
> >
> >
> > Errata:
> >
> > 1. OS: CentOS 6.2
> >
> > 2. FreeIPA: v2.1.3 (9el6)
> >
> >
> >
> > Thank you,
> >
> >
> >
> > Joe
> >
>
> Hello Joe,
>
> did you disable default allow_all HBAC rule?
>
> # ipa hbacrule-show allow_all
> Rule name: allow_all
> User category: all
> Host category: all
> Source host category: all
> Service category: all
> Description: Allow all users to access any host from any host
> Enabled: TRUE
>
> With this rule disabled, the policy you described should be properly
> enforced. When testing HBAC rules you may want to try CLI and Web UI
> interface to hbactest command, which can help you to test who can use
> what service on which machine and also which rules did match when the
> access was allowed.
If you're still experiencing problems after disabling the default allow_all rule, please submit the relevant section of /var/log/secure so we can see if anything peculiar is occurring in the PAM authentication and authorization.
More information about the Freeipa-users
mailing list