On Thu, 2018-11-08 at 16:36 -0800, Leonard Lawton wrote: > I'm looking to setup HBAC for linux servers. People currently login > to > the hosts(via ssh) using ssh keys(no password). > > I was thinking that one way to control access is by denying the > sshPublicKey(or even the uid, many options here) from being visible > on > the host by default, and creating an aci that allows the attribute to > be > visible based on the host. The visibility would be controlled by > applying the aci to a group, and if the person is a member, then > it's > allowed. This does not work as I hoped though, since there is no > bind > performed as the user when the user logs in to the host. > > My questions.. 1) if is this a sane approach, how might I get around > this issue? 2) If this is not a good way, what might be a better way > to > accomplish this?
Rather than using the ssh key as the access mechanism, why not use sssd's ability to filter based on groups? So you would have the host allow as a filter of group=X or group=Y, and then that controls access? The ssh key distribution is authentication (proof of id), where what you want is authorisation (are you allowed to do the thing?) > > The caveats are I don't want to rely on posix group membership in > the > allowgroups in sshd.conf, nor do I want to require passwords to login Have a look at http://www.port389.org/docs/389ds/howto/howto-sssd.html and look at the ldap_access_filter line. This config is already setup to pull sshPublicKey. You just need to add AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser root to sshd.conf Hope that helps, > > > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.o > rg > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelin > es > List Archives: https://lists.fedoraproject.org/archives/list/389-user > s...@lists.fedoraproject.org _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
