[Freeipa-users] Inconsistant results with HBAC and SSH?
Jakub Hrozek
jhrozek at redhat.com
Fri May 27 07:22:17 UTC 2016
On Fri, May 27, 2016 at 01:10:40AM +0000, Simpson Lachlan wrote:
> > With the “allow all” HBAC rule enabled, we have no trouble logging in to any
> > machine via ssh. When we disable the “allow all” rule and make specific per-
> > machine rules (as per the idea of ‘host based’ in HBAC), we get unpredictable
> > results, primarily resulting in an inability to login via ssh. This result is intermittent
> > – sometimes we can login, but sometimes we can’t.
>
> One noted way to "break" the HBAC is a long period of inactivity in that shell.
Typically, this is because of issues in group membership for that user.
Does id report all the groups the user should be a member of?
With recent enough SSSD, the hbac evaluator prints more verbose debug
messages (down to the individual elements of HBAC rules) to see why
exactly the rules didn't match.
There were fixes in the latest 7.2.z IPA update to help fix a problem
with the same AD group being a member of multiple IPA external groups,
maybe that would fix your problem.
More information about the Freeipa-users
mailing list