[Freeipa-users] RFE: default hbac is too open

[Martin Kosek]

On 03/05/2013 10:13 PM, Matthew Barr wrote:
> 
> On Mar 5, 2013, at 9:15 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> 
>> Артур Файзуллин wrote:
>>> What rule must be present for replica to work? :) (in order to remove
>>> allow-all rule)
>>> I mean may be there is somewhere a guide to write rules for strict
>>> allows?
>>
>> During the installation we check that communication works between the two servers, so ssh is needed between masters (https://fedorahosted.org/freeipa/ticket/3298). You should be able to use --skip-conncheck to avoid this.
>>
>> I don't think we have any suggestions for rules, just documentation on how to write them in general.
> 
> 
> However, you could probably make a class of users - admins, for example - that can SSH to the KDC's.  Who else would be making new replica's? You need the master passwords IIRC.

We already have a pre-created group "admins" which should contain all users
with admins privileges. You can use that group to create an HBAC rule assigning
these users SSH access to the IPA servers. We just miss an automatically
maintained hostgroup with all IPA masters that could be used in such HBAC rule
- you would have to maintain it manually for now. There is a relevant RFE
ticket though if you are interested:

https://fedorahosted.org/freeipa/ticket/3416

> 
> 
> I would really love to have the ability to easily give certain classes of users SSH, and potentially only on certain servers.  
> 
> 
> That, plus the ability to change and set your password without ever logging into a system will allow us to really use IPA effectively.    (We have users that don't use linux, and are in IPA only for LDAP & Kerberos auth against web apps.)

This use-case should be already solved. Such users can login to Web UI and
change their passwords in a self-service page. Since FreeIPA 3.0+, they can
also reset their password via Web UI in case it is expired and cannot be thus
used to log in to the self-service page.

HTH,
Martin