Rob, do you by chance maybe have sshd and sftp in your "Via Services" permissions? If I have the sshd service enabled in my "Via services" then "sftp" works for me as well, but it's still under the hood authenticating with sshd even though I am trying to connect with the "sftp" command. "pam_sss" in the logs show it's using sshd, even though I have /etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this might have something to do with "sftp" is actually using "sshd" to do the auth?
May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.127 user=exampleserver May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access denied for user testuser: 6 (Permission denied) On Tue, May 16, 2023 at 4:06 PM Rob Crittenden <[email protected]> wrote: > Kevin Vasko wrote: > > Thanks Rob. > > > > ipa hbactest --user testaccount --host testsystem.example.com > > --service sftp > > -------------------- > > Access granted: True > > > > ipa hbactest --user testaccount --host testsystem.example.com > > --service sshd > > -------------------- > > Access granted: False > > > > So the HBAC works from FreeIPA...however when I actually put rubber to > > the road > > > > "sftp [email protected]" > > Password: > > Connection closed by UNKNOWN port 65535 > > Connection closed. > > > > On the server it is denying it because it seems to be using sshd like > > Ahti Seier mentioned. > > You'd have to enable debugging in SSSD to see what is happening. I did > the same and copied the pam sshd to sftp and it just worked for me, > assuming I didn't screw something up. > > rob > > > > > > > > > On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > Kevin Vasko via FreeIPA-users wrote: > > > Try to make this simple. > > > > > > Have a HBAC, have the "Who" set to a user, have the "Accessing" > > set to a > > > server. > > > > > > Have the "Via Service" set to "sshd". The user can ssh into the > server > > > no issue. > > > > > > I want to limit this user to only being able to sftp into this > server > > > (no direct ssh). > > > > > > If I swap the "Via Service" from the sshd service to sftp that > user is > > > now denied. They cannot access the server via sftp or ssh. I would > > > expect it to deny ssh access but allow sftp. > > > > > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it > mentioned > > > here > > > > > > https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed > > > but that didn't seem to work. > > > > > > Can you point me to the instructions on how to make the HBAC work > > with a > > > particular service (e.g. sftp)? > > > > I just tested this and it works fine for me. I had to create an > > allow_sshd HBAC rule which granted sshd access after I disabled the > > allow_all rule. > > > > You can test your rules with: > > ipa hbactest --user admin --host replica.example.test --service sshd > > > > and > > > > ipa hbactest --user admin --host replica.example.test --service sftp > > > > And replace user with whatever user can only access via sftp. It > should > > fail for sshd. > > > > It would help to see the output of these hbactest runs. > > > > rob > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
