[Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts

Mon Jun 4 13:21:04 UTC 2012

Thank you both. Turning off allow_all did the trick. Now everything works perfectly.

This tool rocks!

Thanks,

Joe

-----Original Message-----
From: Stephen Gallagher [mailto:sgallagh at redhat.com] 
Sent: Monday, June 04, 2012 5:10 AM
To: Martin Kosek
Cc: Joe Linoff; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts

On Mon, 2012-06-04 at 08:39 +0200, Martin Kosek wrote:
> On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote:
> > Hi:
> > 
> >  
> > 
> > I am a newbie that is trying out FreeIPA for the first time. So far 
> > I am extremely impressed with this system but I ran into a problem 
> > that I need some help with. I am trying to figure out how to HBAC to 
> > restrict a set of users to a specific set of hosts but I am not 
> > having any success.
> > 
> >  
> > 
> > Here is the problem statement:
> > 
> >  
> > 
> > I have 2 users: “user1” and “user2” that should only be able to 
> > access the host “foobar” on my network. There are many other 
> > possible hosts (like “wombat”) that they cannot access. They can 
> > login from anywhere using “ssh”.
> > 
> >  
> > 
> > The goal is to restrict students to a specific set of machines.
> > 
> >  
> > 
> > What I tried to do was this:
> > 
> >  
> > 
> > 1.      Create a user group called “restricted-users” which I could
> > add users to.
> > 
> > 2.      Create a HBAC rule named “restricted-users” that
> > 
> > a.      Defines the host I want to allow them access to
> > (“restricted-host”).
> > 
> > b.      Defines the user group that is affected by this rule
> > (“restricted-users”).
> > 
> > c.      Defines the services they are allowed to use on that host
> > (including login).
> > 
> > 3.      Create a user named “user1” that is enrolled in the
> > “restricted-users” group.
> > 
> >  
> > 
> > I then tried this experiment:
> > 
> >  
> > 
> > 1.      ssh –Y user1 at foobar
> > 
> > a.      It worked like a charm. The login worked correctly.
> > 
> > 2.      ssh –Y user1 at wombad
> > 
> > a.      It also worked like a charm but in this case it was undesired
> > behavior.
> > 
> >  
> > 
> > I am sure that I am missing something really obvious. Any help would 
> > be greatly appreciated.
> > 
> >  
> > 
> > Errata:
> > 
> > 1.      OS: CentOS 6.2
> > 
> > 2.      FreeIPA: v2.1.3 (9el6)
> > 
> >  
> > 
> > Thank you,
> > 
> >  
> > 
> > Joe
> > 
> 
> Hello Joe,
> 
> did you disable default allow_all HBAC rule?
> 
> # ipa hbacrule-show allow_all
>   Rule name: allow_all
>   User category: all
>   Host category: all
>   Source host category: all
>   Service category: all
>   Description: Allow all users to access any host from any host
>   Enabled: TRUE
> 
> With this rule disabled, the policy you described should be properly 
> enforced. When testing HBAC rules you may want to try CLI and Web UI 
> interface to hbactest command, which can help you to test who can use 
> what service on which machine and also which rules did match when the 
> access was allowed.

If you're still experiencing problems after disabling the default allow_all rule, please submit the relevant section of /var/log/secure so we can see if anything peculiar is occurring in the PAM authentication and authorization.