Thanks Rob. ipa hbactest --user testaccount --host testsystem.example.com --service sftp -------------------- Access granted: True
ipa hbactest --user testaccount --host testsystem.example.com --service sshd -------------------- Access granted: False So the HBAC works from FreeIPA...however when I actually put rubber to the road "sftp testacco...@testsystem.example.com" Password: Connection closed by UNKNOWN port 65535 Connection closed. On the server it is denying it because it seems to be using sshd like Ahti Seier mentioned. On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcrit...@redhat.com> wrote: > Kevin Vasko via FreeIPA-users wrote: > > Try to make this simple. > > > > Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a > > server. > > > > Have the "Via Service" set to "sshd". The user can ssh into the server > > no issue. > > > > I want to limit this user to only being able to sftp into this server > > (no direct ssh). > > > > If I swap the "Via Service" from the sshd service to sftp that user is > > now denied. They cannot access the server via sftp or ssh. I would > > expect it to deny ssh access but allow sftp. > > > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned > > here > > > https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed > > but that didn't seem to work. > > > > Can you point me to the instructions on how to make the HBAC work with a > > particular service (e.g. sftp)? > > I just tested this and it works fine for me. I had to create an > allow_sshd HBAC rule which granted sshd access after I disabled the > allow_all rule. > > You can test your rules with: > ipa hbactest --user admin --host replica.example.test --service sshd > > and > > ipa hbactest --user admin --host replica.example.test --service sftp > > And replace user with whatever user can only access via sftp. It should > fail for sshd. > > It would help to see the output of these hbactest runs. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
