On Wed, Jul 10, 2013 at 5:00 PM, natxo asenjo <natxo.ase...@gmail.com>wrote:
> On 07/08/2013 07:44 PM, KodaK wrote: > >> We've just discovered that AIX does not honor HBAC rules with telnet. >> ssh is fine. >> > > no AIX expericence, but I once overheard someone that did something like > this using pam and apparently you could use the pam_permission module: > > http://pic.dhe.ibm.com/**infocenter/aix/v6r1/index.jsp?** > topic=%2Fcom.ibm.aix.files%**2Fdoc%2Faixfiles%2Fpam_**permission.htm<http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm> > > so you could add this to /etc/pam.conf > > telnet auth requisite /usr/lib/security/pam_**permission > file=/etc/pam.groups.telnet found=allow > > and create the file /etc/pam.groups.telnet with info like this: > > +@mygroup1 > +@mygroup2 > -@mygroup3 > > in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is > denied access. > > You could even harden it even more with good old tcp_wrappers > (hosts.allow, hosts.deny). > > If you have a config tool (cfengine, puppet, whatever), this could be > quite easy to distribute once properly tested. > > Totally untested :-) but maybe worth a shot. > Thanks. I'm stuck though. IBMs insistence on doing everything Not Unix in AIX is frustrating my efforts. 1) they don't use straight up PAM. They have some older version they include with the OS. 2) their version has very few modules that come with it. It does, however, have pam_permissions, but does not include pam_krb5. Here's the list: pam_aix pam_allowroot pam_mkuserhome pam_prohibit pam_allow pam_ckfile pam_permission pam_rhosts_auth That's a far cry from the 69 or so pam modules I see on Linux boxes. Before I can move on I have to get pam_krb5 to build for AIX and that's proving to be very difficult. I'm hoping the pam_hbac thing will pan out. I'm about ready to just yank Kerberos from the AIX machines and fall back to local authentication. The actual AIX admins seem to have no interest in helping me, so they can reap what they sow with their inaction and have to manage individual users on individual boxes. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
