KodaK wrote:
We've just discovered that AIX does not honor HBAC rules with telnet.
  ssh is fine.

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser
--host=sla765q1.unix.magellanhealth.com
<http://sla765q1.unix.magellanhealth.com> --service=sshd
---------------------
Access granted: False
---------------------

There was no telnet service by default, I created one (but I'm not sure
I did so correctly.)

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser
--host=sla765q1.unix.magellanhealth.com
<http://sla765q1.unix.magellanhealth.com> --service=telnet
---------------------
Access granted: False
---------------------

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser
--host=sla765q1.unix.magellanhealth.com
<http://sla765q1.unix.magellanhealth.com>
Service: any
---------------------
Access granted: False
---------------------

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser
--host=sla765q1.unix.magellanhealth.com
<http://sla765q1.unix.magellanhealth.com> --service=login
---------------------
Access granted: False
---------------------

But:

[jebalicki@mo0033802 ~]$ telnet sla765q1
Trying 10.200.5.137...
Connected to sla765q1.
Escape character is '^]'.
  telnet (sla765q1.unix.magellanhealth.com
<http://sla765q1.unix.magellanhealth.com>)
[login banner and blank lines removed]
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: testuser
testuser's Password:
-bash-3.2$ logout
Connection closed by foreign host.

AIX was configured with standard authentication at first:

r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Standard Aix

But I changed that to add kerberos:

r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Kerberos 5
Standard Aix

However, all that does is cause kerberos to timeout on the invalid user
and then fall back to allowing the user in anyway.

I'm still investigating to see if this is an implementation problem, or
if AIX is just incapable of this.

I continue to lobby for turning off telnet, but there is political
pressure to keep it open.

Anyone have any ideas for things I could try?

HBAC is enforced by sssd, so no sssd, no HBAC.

I think you need to use pam_access to limit users in AIX.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to