Kevin Vasko wrote:
> Rob, do you by chance maybe have sshd and sftp in your "Via Services"
> permissions? If I have the sshd service enabled in my "Via services"
> then "sftp" works for me as well, but it's still under the hood
> authenticating with sshd even though I am trying to connect with the
Rob, do you by chance maybe have sshd and sftp in your "Via Services"
permissions? If I have the sshd service enabled in my "Via services" then
"sftp" works for me as well, but it's still under the hood authenticating
with sshd even though I am trying to connect with the "sftp" command.
"pam_sss" i
Kevin Vasko wrote:
> Thanks Rob.
>
> ipa hbactest --user testaccount --host testsystem.example.com
> --service sftp
>
> Access granted: True
>
> ipa hbactest --user testaccount --host testsystem.example.com
> --service sshd
>
> Access granted: False
>
>
Thanks Rob.
ipa hbactest --user testaccount --host testsystem.example.com --service sftp
Access granted: True
ipa hbactest --user testaccount --host testsystem.example.com --service sshd
Access granted: False
So the HBAC works from FreeIPA...however when
Kevin Vasko via FreeIPA-users wrote:
> Try to make this simple.
>
> Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> server.
>
> Have the "Via Service" set to "sshd". The user can ssh into the server
> no issue.
>
> I want to limit this user to only being able to sftp i
I don't think this can be done easily
The way pam works is the program (sshd in this case) starts the pam
context with a specific name. Looking at sshd source it seems this is
__progname for sshd which should be the basename of the executable. There
does not seem to be a separate authentication