[Freeipa-users] HBAC - Limit SSH access to "test" systems
Alexander Bokovoy
abokovoy at redhat.com
Mon Nov 30 09:38:52 UTC 2015
On Mon, 30 Nov 2015, Alexander Skwar wrote:
>Hello
>
>I'm trying to setup our FreeIPA 4.1.0 (RHEL 7) servers with Ubuntu 14.04
>FreeIPA 3.3.4 clients so, that users in a user group called "customers"
>can only access hosts, which are in a host group called "test". Users
>from the user group "ops" should be able to access all systems (ie.
>"prod" systems and also those "test" systems).
>
>But I cannot get my head around to create proper HBAC rules/setup…
>
>Could somebody maybe lend me a helping hand?
>
>At the moment, I have set it up so, that I modified the "prod" systems
>sshd_config and added "DenyGroups customer" there. On the test systems,
>I don't have that line. That works, but it's not using IPA (in a sense…
>I do have to modify the hosts configuration on the system, which I
>dislike. Granted, with Chef, it's not much, but still *G*).
HBAC is enforced by SSSD over PAM. All you need to ensure is that an
application (sshd in this case) uses PAM. Then you setup HBAC rules,
disable allow_all rule, and then SSSD will verify rules on logon via
sshd, checking all rules for service 'sshd' and applying to this host
(via hostgroup or to all hosts).
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list