We've just discovered that AIX does not honor HBAC rules with telnet.  ssh
is fine.

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=sshd
---------------------
Access granted: False
---------------------

There was no telnet service by default, I created one (but I'm not sure I
did so correctly.)

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=telnet
---------------------
Access granted: False
---------------------

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com
Service: any
---------------------
Access granted: False
---------------------

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=login
---------------------
Access granted: False
---------------------

But:

[jebalicki@mo0033802 ~]$ telnet sla765q1
Trying 10.200.5.137...
Connected to sla765q1.
Escape character is '^]'.
 telnet (sla765q1.unix.magellanhealth.com)
[login banner and blank lines removed]
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: testuser
testuser's Password:
-bash-3.2$ logout
Connection closed by foreign host.

AIX was configured with standard authentication at first:

r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Standard Aix

But I changed that to add kerberos:

r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Kerberos 5
Standard Aix

However, all that does is cause kerberos to timeout on the invalid user and
then fall back to allowing the user in anyway.

I'm still investigating to see if this is an implementation problem, or if
AIX is just incapable of this.

I continue to lobby for turning off telnet, but there is political pressure
to keep it open.

Anyone have any ideas for things I could try?

Thanks,

--Jason


-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to