[Freeipa-users] HBAC - Limit SSH access to "test" systems

Alexander Bokovoy abokovoy at redhat.com
Mon Nov 30 10:58:06 UTC 2015 

On Mon, 30 Nov 2015, Alexander Skwar wrote:
>Hello Alexander ;)
>
>2015-11-30 10:38 GMT+01:00 Alexander Bokovoy <abokovoy at redhat.com>:
>
>> HBAC is enforced by SSSD over PAM. All you need to ensure is that an
>> application (sshd in this case) uses PAM. Then you setup HBAC rules,
>> disable allow_all rule, and then SSSD will verify rules on logon via
>> sshd, checking all rules for service 'sshd' and applying to this host
>> (via hostgroup or to all hosts).
>
>Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also
>change the "default" behaviour? I mean, by default, everything will
>be allowed for everyone on every system.
>
>When I deactivate the allow_all - won't that mean, that nothing will
>be allowed for everyone on all systems?
Yes. HBAC system is built around a simple principle: everything is
denied unless allowed explicitly with specific rules.

We supply 'allow_all' rule for defaults and it is your duty to create
HBAC rules which suit your deployment needs.

>Playing with the HBAC Test thingie in the web interface seems to imply
>that. And because of that, I now have 3 rules:
>
>1) allow_all_but_ssh
>2) ssh_prod
>3) ssh_test
>
>1) Who: Anyone, Accessing: Any host, Via Service: Selected every
>   service, but not sshd
>2) Who: User groups: ops, Accessing: Host groups: prod, Via service: sshd
>3) Who: Anyone, Accessing: Host groups: test, Via service: sshd
>
>That's somewhat fine, but I dislike the "allow_all_but_ssh" rule there.
>Reason: I manually have to select every service and remove sshd. But if
>a new service were to be added, I'd have to remember to add it there as
>well. Not cool. Even more so, because I'm not the only admin. Colleagues
>would have to know this as well. Not cool².
>
>Somehow I'm missing "deny"-rules, I think. Nice to have allow rules,
>but I'm rather looking for a way to deny something :/
>
>Don't know, but that seems to be too complicated. Or is that really the
>way to do that?
Deny rules complicate things a lot, really. You can create a service
group that includes all your services but sshd and assign that service
group to allow rule. Maintaining a service group is less problematic
than looking into what rules deny/allow. Consider also the contextual
problem of what to do if HBAC rules become unavailable -- should the
unavailability of deny rule be treated as allow or not? We chose to
define deny by default and add allow rules on top of it.

All this is covered in IPA documentation.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list