On 27/05/2024 06:10, Alexander Bokovoy via FreeIPA-users wrote:
On Суб, 25 мая 2024, Sam Morris wrote:
On Sat, 2024-05-25 at 12:46 +0100, Sam Morris via FreeIPA-users wrote:
On Sat, 2024-05-25 at 11:01 +0300, Alexander Bokovoy via FreeIPA-
users
wrote:
> On Пят, 24 мая 2024, Sam Morris via FreeIPA-users wrote:
> > On 24/05/2024 15:52, Alexander Bokovoy via FreeIPA-users wrote:
> > > On Fri, 24 May 2024, Sam Morris via FreeIPA-users wrote:
> > > > On 24/05/2024 13:07, Sam Morris via FreeIPA-users wrote:
> > > > > On non-IPA clients I'm using AllowUsers/AllowGroups to
> > > > > restrict
> > > > > which local users are able to SSH into a system.
> > > > >
> > > > > On IPA clients I am using HBAC to control the same for IPA
> > > > > users. But what's the best way to control which local users
> > > > > can
> > > > > SSH in to an IPA client?
> > > >
> > > > Sorry, I forgot to add "... without disrupting access to the
> > > > IPA
> > > > client for IPA users".
> > >
[... discussion of using pam_sss for HBAC with local users omitted...]
So it looks like pam_sss is returning 'user_unknown' rather than
allow/deny.
Yeah, the issue here is not HBAC rules but rather the fact that SSSD
does not consider this user at all and thus escapes early.
>
Ok, so this might be solved then by Match?
Match
AllowGroups allow-ssh
>
Since it is a conditional keyword, it would not apply to all conditions,
so IPA users would not match by it but local ones would instead.
sshd says this is invalid: a criterion is needed (Match User x/Match
Group y/etc).
Meanwhile, I continued to work on implementing the control with PAM and
I've got something pretty straightforward now.
At the start of /etc/pam.d/sshd I have:
account include remote-access
And in /etc/pam.d/remote-access I have:
account [perm_denied=1 success=ok] pam_localuser.so
account requisite pam_succeed_if.so user ingroup remote-access
(I've called the file & group 'remote-access' because I'm going to apply
it to cockpit as well as sshd).
A local user who isn't in that group is denied with log messages like these:
sshd[1492472]: pam_succeed_if(sshd:account): requirement "user
ingroup remote-access" not met by user "local"
sshd[1492468]: error: PAM: User account has expired for local from ::1
I'm not 100% sure whether 'requisite' or 'required' is better to use
with pam_succeed_if; but hopefully this can be a useful starting point
for anyone else who wants to control SSH access for local users similar
to the traditional AllowUsers/AllowGroups directive, while still
allowing HBAC to control access for domain users.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
