On Tue, Jul 9, 2013 at 5:43 PM, Dmitri Pal <d...@redhat.com> wrote:

>  On 07/09/2013 06:01 PM, KodaK wrote:
> On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <d...@redhat.com> wrote:
>>  On 07/09/2013 03:57 PM, KodaK wrote:
>> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <rcrit...@redhat.com>wrote:
>>> HBAC is enforced by sssd, so no sssd, no HBAC.
>>> I think you need to use pam_access to limit users in AIX.
>>  I have some work-arounds now, but I'd like to find a way to automate
>> them.  What
>> I need is a way to ask IPA "who is allowed to access this particular
>> server?"
>>  The goal is go just get a list of allowed users, then there are various
>> mechanisms
>> I can employ to allow access to only the listed users.  I plan to do this
>> from the
>> puppet master so I can push the configs from there.  I have
>> ipa-admintools and
>> openldap-clients installed on the puppet master.
>>  Right now I'm iterating through all the hbacrules and grepping for the
>> server in
>> question, then getting the details of that rule.  This is a lot of
>> requests.
>>  A valid RFE I would say...
>> May be it should be an enhancement for the hbac-test tool?
>> However getting a list of the users verbatim is probably costly too.
>> May be it would make sense for you to create a group of AIX users in IPA
>> and then fetch it from the puppet master traverse its memberOf attribute
>> for list of members?
>> It will not use HBAC but still would provide some access control
>> optimization.
>> Will that solve the problem for you?
>  I thought about that, but there are some drawbacks.  I don't have "a"
> group of AIX users that access all AIX machines.  I have a bunch of
> different AIX machines with different user sets.  I can create a group for
> each host called hostname_access -- but then I'm just replicating (quite
> inefficently) information that already exists in the HBAC rules.  I can
> probably create one rule per host in HBAC and query that particular rule
> for the allowed users, but this loses the benefit of being able to use host
> and user groups.  This is probably where we'll end up, though, since it's
> the least-effort-to-implement (if worst to maintain) option.
>  How does sssd determine if a user is allowed access?  Another option may
> be to replicate that functionality in a program or script on the puppet
> master and have it populate some files once a day or so.  Alternately we
> could write a PAM module for AIX that replicates that functionality.  Right
> now, though, I have no idea how it's done in SSSD (a pointer to where it is
> in the code would be helpful, even.)
>  --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
> SSSD and IPA share the same library.
> I do not remember the name of it but it takes input: user, host, service
> and determines whether user is allowed or not.
> It is written in C. So it probably can be ported to AIX.
> Here is another option, I do not know if that would work for you.
> It really depends on your setup.
> You can allow SSH into AIX machines only from a corresponding gateway
> machine.
> Say you have 5 classes of AIX machines then you will have 5 gateway
> machines.
> The access to a set of AIX machines will be restricted to SSH from a
> gateway system.
> Logging to a gateway system would be protected with HBAC.
> Not the best but yet an alternative approach.
> If you go with the "implement yourself approach" on the puppet master you
> should taker a look at the code of the library and see how it does things.
> It might be a good start.
Thanks, Dmitri.  IRT the gateway machines:  I can already block on a per
user basis using "AllowUsers" in sshd_config -- that's one of the
workarounds I'm using now.  This works, but I want to populate that
automatically via IPA and puppet.  Doing a gateway seems like a step back,
plus I'm sure my users would revolt. :)
Freeipa-users mailing list

Reply via email to