[Freeipa-users] HBAC - Limit SSH access to "test" systems

[Alexander Skwar]

Hello Alexander ;)

2015-11-30 10:38 GMT+01:00 Alexander Bokovoy <abokovoy at redhat.com>:

> HBAC is enforced by SSSD over PAM. All you need to ensure is that an
> application (sshd in this case) uses PAM. Then you setup HBAC rules,
> disable allow_all rule, and then SSSD will verify rules on logon via
> sshd, checking all rules for service 'sshd' and applying to this host
> (via hostgroup or to all hosts).

Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also
change the "default" behaviour? I mean, by default, everything will
be allowed for everyone on every system.

When I deactivate the allow_all - won't that mean, that nothing will
be allowed for everyone on all systems?

Playing with the HBAC Test thingie in the web interface seems to imply
that. And because of that, I now have 3 rules:

1) allow_all_but_ssh
2) ssh_prod
3) ssh_test

1) Who: Anyone, Accessing: Any host, Via Service: Selected every
   service, but not sshd
2) Who: User groups: ops, Accessing: Host groups: prod, Via service: sshd
3) Who: Anyone, Accessing: Host groups: test, Via service: sshd

That's somewhat fine, but I dislike the "allow_all_but_ssh" rule there.
Reason: I manually have to select every service and remove sshd. But if
a new service were to be added, I'd have to remember to add it there as
well. Not cool. Even more so, because I'm not the only admin. Colleagues
would have to know this as well. Not cool².

Somehow I'm missing "deny"-rules, I think. Nice to have allow rules,
but I'm rather looking for a way to deny something :/

Don't know, but that seems to be too complicated. Or is that really the
way to do that?

Thanks a lot,

Alexander
-- 
=>        Google+ => http://plus.skwar.me         <==
=> Chat (Jabber/Google Talk) => a.skwar at gmail.com <==