date:20230516

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Kevin Vasko via FreeIPA-users

Rob, do you by chance maybe have sshd and sftp in your "Via Services"
permissions? If I have the sshd service enabled in my "Via services" then
"sftp" works for me as well, but it's still under the hood authenticating
with sshd even though I am trying to connect with the "sftp" command.
"pam_sss" in the logs show it's using sshd, even though I have
/etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this might have
something to do with "sftp" is actually using "sshd" to do the auth?

May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.127 user=exampleserver
May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access
denied for user testuser: 6 (Permission denied)



On Tue, May 16, 2023 at 4:06 PM Rob Crittenden  wrote:

> Kevin Vasko wrote:
> > Thanks Rob.
> >
> > ipa hbactest --user testaccount --host testsystem.example.com
> > --service sftp
> > 
> > Access granted: True
> >
> > ipa hbactest --user testaccount --host testsystem.example.com
> > --service sshd
> > 
> > Access granted: False
> >
> > So the HBAC works from FreeIPA...however when I actually put rubber to
> > the road
> >
> > "sftp testacco...@testsystem.example.com"
> > Password:
> > Connection closed by UNKNOWN port 65535
> > Connection closed.
> >
> > On the server it is denying it because it seems to be using sshd like
> > Ahti Seier mentioned.
>
> You'd have to enable debugging in SSSD to see what is happening. I did
> the same and copied the pam sshd to sftp and it just worked for me,
> assuming I didn't screw something up.
>
> rob
>
> >
> >
> >
> > On Tue, May 16, 2023 at 12:56 PM Rob Crittenden  > > wrote:
> >
> > Kevin Vasko via FreeIPA-users wrote:
> > > Try to make this simple.
> > >
> > > Have a HBAC, have the "Who" set to a user, have the "Accessing"
> > set to a
> > > server.
> > >
> > > Have the "Via Service" set to "sshd". The user can ssh into the
> server
> > > no issue.
> > >
> > > I want to limit this user to only being able to sftp into this
> server
> > > (no direct ssh).
> > >
> > > If I swap the "Via Service" from the sshd service to sftp that
> user is
> > > now denied. They cannot access the server via sftp or ssh. I would
> > > expect it to deny ssh access but allow sftp.
> > >
> > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it
> mentioned
> > > here
> > >
> >
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> > > but that didn't seem to work.
> > >
> > > Can you point me to the instructions on how to make the HBAC work
> > with a
> > > particular service (e.g. sftp)?
> >
> > I just tested this and it works fine for me. I had to create an
> > allow_sshd HBAC rule which granted sshd access after I disabled the
> > allow_all rule.
> >
> > You can test your rules with:
> > ipa hbactest --user admin --host replica.example.test --service sshd
> >
> > and
> >
> > ipa hbactest --user admin --host replica.example.test --service sftp
> >
> > And replace user with whatever user can only access via sftp. It
> should
> > fail for sshd.
> >
> > It would help to see the output of these hbactest runs.
> >
> > rob
> >
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Kevin Vasko via FreeIPA-users

Thanks Rob.

ipa hbactest --user testaccount --host testsystem.example.com --service sftp

Access granted: True

ipa hbactest --user testaccount --host testsystem.example.com --service sshd

Access granted: False

So the HBAC works from FreeIPA...however when I actually put rubber to the
road

"sftp testacco...@testsystem.example.com"
Password:
Connection closed by UNKNOWN port 65535
Connection closed.

On the server it is denying it because it seems to be using sshd like Ahti
Seier mentioned.



On Tue, May 16, 2023 at 12:56 PM Rob Crittenden  wrote:

> Kevin Vasko via FreeIPA-users wrote:
> > Try to make this simple.
> >
> > Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> > server.
> >
> > Have the "Via Service" set to "sshd". The user can ssh into the server
> > no issue.
> >
> > I want to limit this user to only being able to sftp into this server
> > (no direct ssh).
> >
> > If I swap the "Via Service" from the sshd service to sftp that user is
> > now denied. They cannot access the server via sftp or ssh. I would
> > expect it to deny ssh access but allow sftp.
> >
> > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
> > here
> >
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> > but that didn't seem to work.
> >
> > Can you point me to the instructions on how to make the HBAC work with a
> > particular service (e.g. sftp)?
>
> I just tested this and it works fine for me. I had to create an
> allow_sshd HBAC rule which granted sshd access after I disabled the
> allow_all rule.
>
> You can test your rules with:
> ipa hbactest --user admin --host replica.example.test --service sshd
>
> and
>
> ipa hbactest --user admin --host replica.example.test --service sftp
>
> And replace user with whatever user can only access via sftp. It should
> fail for sshd.
>
> It would help to see the output of these hbactest runs.
>
> rob
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Rob Crittenden via FreeIPA-users

Kevin Vasko via FreeIPA-users wrote:
> Try to make this simple.
> 
> Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> server.
> 
> Have the "Via Service" set to "sshd". The user can ssh into the server
> no issue.
> 
> I want to limit this user to only being able to sftp into this server
> (no direct ssh).
> 
> If I swap the "Via Service" from the sshd service to sftp that user is
> now denied. They cannot access the server via sftp or ssh. I would
> expect it to deny ssh access but allow sftp.
> 
> I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
> here
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> but that didn't seem to work.
> 
> Can you point me to the instructions on how to make the HBAC work with a
> particular service (e.g. sftp)?

I just tested this and it works fine for me. I had to create an
allow_sshd HBAC rule which granted sshd access after I disabled the
allow_all rule.

You can test your rules with:
ipa hbactest --user admin --host replica.example.test --service sshd

and

ipa hbactest --user admin --host replica.example.test --service sftp

And replace user with whatever user can only access via sftp. It should
fail for sshd.

It would help to see the output of these hbactest runs.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Ahti Seier via FreeIPA-users

I don't think this can be done easily

  The way pam works is the program (sshd in this case) starts the pam
context with a specific name. Looking at sshd source it seems this is
__progname for sshd which should be the basename of the executable. There
does not seem to be a separate authentication stack for sftp part
specifically. So it does not matter if you create a pam.d/sftp
configuration as sshd is not programmed to look for it.

  sshd can however be configured to limit ssh access and allow sftp based
on a users group. So this could be achieved by having the sftp only users
in a specific user group.

Kontakt Kevin Vasko via FreeIPA-users ()
kirjutas kuupäeval T, 16. mai 2023 kell 19:45:

> Try to make this simple.
>
> Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> server.
>
> Have the "Via Service" set to "sshd". The user can ssh into the server no
> issue.
>
> I want to limit this user to only being able to sftp into this server (no
> direct ssh).
>
> If I swap the "Via Service" from the sshd service to sftp that user is now
> denied. They cannot access the server via sftp or ssh. I would expect it to
> deny ssh access but allow sftp.
>
> I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> but that didn't seem to work.
>
> Can you point me to the instructions on how to make the HBAC work with a
> particular service (e.g. sftp)?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] sftp HBAC

2023-05-16 Thread Kevin Vasko via FreeIPA-users

Try to make this simple.

Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
server.

Have the "Via Service" set to "sshd". The user can ssh into the server no
issue.

I want to limit this user to only being able to sftp into this server (no
direct ssh).

If I swap the "Via Service" from the sshd service to sftp that user is now
denied. They cannot access the server via sftp or ssh. I would expect it to
deny ssh access but allow sftp.

I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
but that didn't seem to work.

Can you point me to the instructions on how to make the HBAC work with a
particular service (e.g. sftp)?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] New primary rid range overlaps with existing primary rid range

2023-05-16 Thread Andreas Binapfl via FreeIPA-users

Greetings, we also upgraded to RHEL9.2 and got the auth problems.

following the advice here i wanted to use "ipa config-mod --enable-sid 
--add-sids" but unfortunately i get an error in /etc/messages
ERR - ipa_range_check_pre_op - [file ipa_range_check.c, line 670]: New primary 
rid range overlaps with existing primary rid range.

Using ipa idrange-find

3 ranges matched

  Range name: DOMAIN.LOCAL_id_range
  First Posix ID of the range: 51280
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

  Range name: DOMAIN.LOCAL_new_range
  First Posix ID of the range: 1600
  Number of IDs in the range: 2000
  Range type: local domain range

  Range name: DOMAIN.LOCAL_subid_range
  First Posix ID of the range: 2147483648
  Number of IDs in the range: 2147352576
  First RID of the corresponding RID range: 2147283648
  Domain SID of the trusted domain: S-1-5-21-738065-838566-2958400175
  Range type: Active Directory domain range

Number of entries returned 3



On a first glance they seems not to overlap. Can someone help me how i can 
troubleshoot that problem further?
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: IDView problem

2023-05-16 Thread Ronald Wimmer via FreeIPA-users


On 15.05.23 10:34, Florence Blanc-Renaud wrote:

Hi,

On Fri, May 12, 2023 at 5:47 PM Ronald Wimmer > wrote:


On 12.05.23 11:35, Florence Blanc-Renaud via FreeIPA-users wrote:
 > Hi,
 >
 > can you provide more details? Did you use the "Default Trust View"
 > idview or did you create another one? Which attributes did you
override
 > for your AD user?

Of course I can.  I should have provided more info in the first place...

I created an own ID view called "zsh" which overrides the login shell
for certain users on certain hosts (currently 2 hosts, one running
CentOS 7.9 and the other one running OL 9.1)


Are those hosts IPA servers or IPA clients? 


No. Both are IPA clients.


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: IPA filters not working

2023-05-16 Thread Florence Blanc-Renaud via FreeIPA-users

Hi,

On Mon, May 15, 2023 at 10:34 PM Omar Pagan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> [root @ ldap01] ~
> $ ipa hbactest --user gr031529 --host deepcore-bastion.uaap.maxar.com
> --service ssh
>
The issue looks like a simple typo. Here the test is using *ssh* service...

> 
> Access granted: True
> 
>   Matched rules: allow_all
>   Not matched rules: admins_allow_all
>   Not matched rules: allow_systemd-user
>   Not matched rules: cpaac-bastion
>   Not matched rules: darc_admins_hbac
>   Not matched rules: deepcore-bastion
>   Not matched rules: shared-services-hbac
>
> [root @ ldap01] ~
> $ ipa hbacrule-show deepcore-bastion
>   Rule name: deepcore-bastion
>   Enabled: True
>   User Groups: deepcore, amod-bastion
>   Hosts: deepcore-bastion.uaap.maxar.com
>   HBAC Services: sshd
>
... but the rule is defined for *sshd* instead of *ssh*.
HTH,
flo


> Even after adding the service to the rule, and testing against the correct
> host, it doesn't match the rule.
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sftp HBAC

[Freeipa-users] Re: sftp HBAC

[Freeipa-users] Re: sftp HBAC

[Freeipa-users] Re: sftp HBAC

[Freeipa-users] sftp HBAC

[Freeipa-users] New primary rid range overlaps with existing primary rid range

[Freeipa-users] Re: IDView problem

[Freeipa-users] Re: IPA filters not working

8 matches

Site Navigation

Mail list logo

Footer information