[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Tue Jul 9 22:01:22 UTC 2013

On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 07/09/2013 03:57 PM, KodaK wrote:
>
>
>
> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <rcritten at redhat.com>wrote:
>
>>
>> HBAC is enforced by sssd, so no sssd, no HBAC.
>>
>> I think you need to use pam_access to limit users in AIX.
>>
>>
>  I have some work-arounds now, but I'd like to find a way to automate
> them.  What
> I need is a way to ask IPA "who is allowed to access this particular
> server?"
>
>  The goal is go just get a list of allowed users, then there are various
> mechanisms
> I can employ to allow access to only the listed users.  I plan to do this
> from the
> puppet master so I can push the configs from there.  I have ipa-admintools
> and
> openldap-clients installed on the puppet master.
>
>  Right now I'm iterating through all the hbacrules and grepping for the
> server in
> question, then getting the details of that rule.  This is a lot of
> requests.
>
>
>
> A valid RFE I would say...
> May be it should be an enhancement for the hbac-test tool?
> However getting a list of the users verbatim is probably costly too.
> May be it would make sense for you to create a group of AIX users in IPA
> and then fetch it from the puppet master traverse its memberOf attribute
> for list of members?
> It will not use HBAC but still would provide some access control
> optimization.
> Will that solve the problem for you?
>

I thought about that, but there are some drawbacks.  I don't have "a" group
of AIX users that access all AIX machines.  I have a bunch of different AIX
machines with different user sets.  I can create a group for each host
called hostname_access -- but then I'm just replicating (quite
inefficently) information that already exists in the HBAC rules.  I can
probably create one rule per host in HBAC and query that particular rule
for the allowed users, but this loses the benefit of being able to use host
and user groups.  This is probably where we'll end up, though, since it's
the least-effort-to-implement (if worst to maintain) option.

How does sssd determine if a user is allowed access?  Another option may be
to replicate that functionality in a program or script on the puppet master
and have it populate some files once a day or so.  Alternately we could
write a PAM module for AIX that replicates that functionality.  Right now,
though, I have no idea how it's done in SSSD (a pointer to where it is in
the code would be helpful, even.)
-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130709/b2e8fbbd/attachment.htm>