Hi Mark:

Thank you for your suggestion. I will try it later today.

Regards,

Joe

-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com] 
Sent: Sunday, June 03, 2012 11:40 PM
To: Joe Linoff
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FreeIPA 2.1 - restrict users to a set of hosts

On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote:
> Hi:
> 
>  
> 
> I am a newbie that is trying out FreeIPA for the first time. So far I 
> am extremely impressed with this system but I ran into a problem that 
> I need some help with. I am trying to figure out how to HBAC to 
> restrict a set of users to a specific set of hosts but I am not having 
> any success.
> 
>  
> 
> Here is the problem statement:
> 
>  
> 
> I have 2 users: “user1” and “user2” that should only be able to access 
> the host “foobar” on my network. There are many other possible hosts 
> (like “wombat”) that they cannot access. They can login from anywhere 
> using “ssh”.
> 
>  
> 
> The goal is to restrict students to a specific set of machines.
> 
>  
> 
> What I tried to do was this:
> 
>  
> 
> 1.      Create a user group called “restricted-users” which I could
> add users to.
> 
> 2.      Create a HBAC rule named “restricted-users” that
> 
> a.      Defines the host I want to allow them access to
> (“restricted-host”).
> 
> b.      Defines the user group that is affected by this rule
> (“restricted-users”).
> 
> c.      Defines the services they are allowed to use on that host
> (including login).
> 
> 3.      Create a user named “user1” that is enrolled in the
> “restricted-users” group.
> 
>  
> 
> I then tried this experiment:
> 
>  
> 
> 1.      ssh –Y user1@foobar
> 
> a.      It worked like a charm. The login worked correctly.
> 
> 2.      ssh –Y user1@wombad
> 
> a.      It also worked like a charm but in this case it was undesired
> behavior.
> 
>  
> 
> I am sure that I am missing something really obvious. Any help would 
> be greatly appreciated.
> 
>  
> 
> Errata:
> 
> 1.      OS: CentOS 6.2
> 
> 2.      FreeIPA: v2.1.3 (9el6)
> 
>  
> 
> Thank you,
> 
>  
> 
> Joe
> 

Hello Joe,

did you disable default allow_all HBAC rule?

# ipa hbacrule-show allow_all
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE

With this rule disabled, the policy you described should be properly enforced. 
When testing HBAC rules you may want to try CLI and Web UI interface to 
hbactest command, which can help you to test who can use what service on which 
machine and also which rules did match when the access was allowed.

HTH,
Martin


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to