Kevin Vasko via FreeIPA-users wrote: > Try to make this simple. > > Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a > server. > > Have the "Via Service" set to "sshd". The user can ssh into the server > no issue. > > I want to limit this user to only being able to sftp into this server > (no direct ssh). > > If I swap the "Via Service" from the sshd service to sftp that user is > now denied. They cannot access the server via sftp or ssh. I would > expect it to deny ssh access but allow sftp. > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned > here > https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed > but that didn't seem to work. > > Can you point me to the instructions on how to make the HBAC work with a > particular service (e.g. sftp)?
I just tested this and it works fine for me. I had to create an allow_sshd HBAC rule which granted sshd access after I disabled the allow_all rule. You can test your rules with: ipa hbactest --user admin --host replica.example.test --service sshd and ipa hbactest --user admin --host replica.example.test --service sftp And replace user with whatever user can only access via sftp. It should fail for sshd. It would help to see the output of these hbactest runs. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
