<br><br><div class="gmail_quote">On Tue, Jul 9, 2013 at 5:43 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"><div><div class="h5"> On 07/09/2013 06:01 PM, KodaK wrote: <blockquote type="cite"><br> <br> <div class="gmail_quote">On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#FFFFFF" text="#000000"> <div> On 07/09/2013 03:57 PM, KodaK wrote: <blockquote type="cite"><br> <br> <div class="gmail_quote">On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br> HBAC is enforced by sssd, so no sssd, no HBAC.<br> <br> I think you need to use pam_access to limit users in AIX.<span><font color="#888888"><br> <br> </font></span></blockquote> <div><br> </div> <div>I have some work-arounds now, but I'd like to find a way to automate them. What</div> <div>I need is a way to ask IPA "who is allowed to access this particular server?"</div> <div><br> </div> <div>The goal is go just get a list of allowed users, then there are various mechanisms</div> <div>I can employ to allow access to only the listed users. I plan to do this from the</div> <div>puppet master so I can push the configs from there. I have ipa-admintools and</div> <div>openldap-clients installed on the puppet master.</div> <div><br> </div> <div>Right now I'm iterating through all the hbacrules and grepping for the server in </div> <div>question, then getting the details of that rule. This is a lot of requests.</div> </div> </blockquote> <br> <br> </div> A valid RFE I would say...<br> May be it should be an enhancement for the hbac-test tool?<br> However getting a list of the users verbatim is probably costly too.<br> May be it would make sense for you to create a group of AIX users in IPA and then fetch it from the puppet master traverse its memberOf attribute for list of members?<br> It will not use HBAC but still would provide some access control optimization.<br> Will that solve the problem for you?<br> </div> </blockquote> <div><br> </div> <div>I thought about that, but there are some drawbacks. I don't have "a" group of AIX users that access all AIX machines. I have a bunch of different AIX machines with different user sets. I can create a group for each host called hostname_access -- but then I'm just replicating (quite inefficently) information that already exists in the HBAC rules. I can probably create one rule per host in HBAC and query that particular rule for the allowed users, but this loses the benefit of being able to use host and user groups. This is probably where we'll end up, though, since it's the least-effort-to-implement (if worst to maintain) option.</div> <div><br> </div> <div>How does sssd determine if a user is allowed access? Another option may be to replicate that functionality in a program or script on the puppet master and have it populate some files once a day or so. Alternately we could write a PAM module for AIX that replicates that functionality. Right now, though, I have no idea how it's done in SSSD (a pointer to where it is in the code would be helpful, even.)</div> </div> -- <br> The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 </blockquote> <br></div></div> SSSD and IPA share the same library.<br> I do not remember the name of it but it takes input: user, host, service and determines whether user is allowed or not.<br> It is written in C. So it probably can be ported to AIX.<br> <br> Here is another option, I do not know if that would work for you.<br> It really depends on your setup.<br> You can allow SSH into AIX machines only from a corresponding gateway machine.<br> Say you have 5 classes of AIX machines then you will have 5 gateway machines.<br> The access to a set of AIX machines will be restricted to SSH from a gateway system.<br> Logging to a gateway system would be protected with HBAC.<br> <br> Not the best but yet an alternative approach.<br> <br> If you go with the "implement yourself approach" on the puppet master you should taker a look at the code of the library and see how it does things. It might be a good start.<div class="im"><br></div></div></blockquote><div><br></div><div>Thanks, Dmitri. IRT the gateway machines: I can already block on a per user basis using "AllowUsers" in sshd_config -- that's one of the workarounds I'm using now. This works, but I want to populate that automatically via IPA and puppet. Doing a gateway seems like a step back, plus I'm sure my users would revolt. :)</div> <div> </div></div>