On Mon, 30 Nov 2015, Alexander Skwar wrote:
Hello Alexander ;)

2015-11-30 10:38 GMT+01:00 Alexander Bokovoy <aboko...@redhat.com>:

HBAC is enforced by SSSD over PAM. All you need to ensure is that an
application (sshd in this case) uses PAM. Then you setup HBAC rules,
disable allow_all rule, and then SSSD will verify rules on logon via
sshd, checking all rules for service 'sshd' and applying to this host
(via hostgroup or to all hosts).

Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also
change the "default" behaviour? I mean, by default, everything will
be allowed for everyone on every system.

When I deactivate the allow_all - won't that mean, that nothing will
be allowed for everyone on all systems?
Yes. HBAC system is built around a simple principle: everything is
denied unless allowed explicitly with specific rules.

We supply 'allow_all' rule for defaults and it is your duty to create
HBAC rules which suit your deployment needs.

Playing with the HBAC Test thingie in the web interface seems to imply
that. And because of that, I now have 3 rules:

1) allow_all_but_ssh
2) ssh_prod
3) ssh_test

1) Who: Anyone, Accessing: Any host, Via Service: Selected every
  service, but not sshd
2) Who: User groups: ops, Accessing: Host groups: prod, Via service: sshd
3) Who: Anyone, Accessing: Host groups: test, Via service: sshd

That's somewhat fine, but I dislike the "allow_all_but_ssh" rule there.
Reason: I manually have to select every service and remove sshd. But if
a new service were to be added, I'd have to remember to add it there as
well. Not cool. Even more so, because I'm not the only admin. Colleagues
would have to know this as well. Not cool².

Somehow I'm missing "deny"-rules, I think. Nice to have allow rules,
but I'm rather looking for a way to deny something :/

Don't know, but that seems to be too complicated. Or is that really the
way to do that?
Deny rules complicate things a lot, really. You can create a service
group that includes all your services but sshd and assign that service
group to allow rule. Maintaining a service group is less problematic
than looking into what rules deny/allow. Consider also the contextual
problem of what to do if HBAC rules become unavailable -- should the
unavailability of deny rule be treated as allow or not? We chose to
define deny by default and add allow rules on top of it.

All this is covered in IPA documentation.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to