[Freeipa-users] RFE: default hbac is too open
Артур Файзуллин
arthur at deus.pro
Tue Mar 5 06:18:08 UTC 2013
What rule must be present for replica to work? :) (in order to remove
allow-all rule)
I mean may be there is somewhere a guide to write rules for strict
allows?
В Пт., 30/11/2012 в 13:24 -0500, Rob Crittenden пишет:
> Natxo Asenjo wrote:
> > hi,
> >
> > the default hbac rule 'allow_all' is nice for testing, but for a
> > production environment I am not so sure ;-)
> >
> > We do not want our users getting a shell in our kdc servers or in the
> > database servers for instance. We want them to use the postgresql
> > service, but not login the database server with a shell. Many more
> > examples are conceivable, of course.
> >
> > Is it possible to have this policy adapted to 'everything but ssh' for
> > instance? That is, disable ssh logins unless explicitely allowed by
> > another policy. This would be the equivalent of 'Remote Desktop Users'
> > in an AD domain. Uses may login at the console everywhere (their
> > workstations), but if they need to login interactively in a server
> > then they need to be a member of this group. This does not prevent
> > them from using other resources like shares, printers, e-mail,
> > databases, ...
> >
> > I am just afraid that unless this becomes the default during the
> > installation, most ipa environments will stay like this which could be
> > an unexpected security problem. No one but kerberos admins should have
> > shell access to the kdc in a kerberos realm.
>
> Our expectation was that this default rule would be deleted by sites
> that want to use HBAC, and that specially crafted rules would replace
> it. There is an install option to not create this rule at all,
> --no_hbac_allow.
>
> Still, your suggestion makes sense. Better to be secure out-of-the-box.
>
> I created an enhancement ticket for this,
> https://fedorahosted.org/freeipa/ticket/3278
>
> The tricky part is probably going to be around replicas, automatically
> adding and removing access to them for the rule.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list