[Freeipa-users] Re: sftp HBAC

2023-05-17 Thread Rob Crittenden via FreeIPA-users 
Kevin Vasko wrote:
> Rob, do you by chance maybe have sshd and sftp in your "Via Services"
> permissions? If I have the sshd service enabled in my "Via services"
> then "sftp" works for me as well, but it's still under the hood
> authenticating with sshd even though I am trying to connect with the
> "sftp" command. "pam_sss" in the logs show it's using sshd, even though
> I have /etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this
> might have something to do with "sftp" is actually using "sshd" to do
> the auth?
> 
> May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth):
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=192.168.0.127 user=exampleserver
> May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access
> denied for user testuser: 6 (Permission denied)

So yeah, I think I did my testing a bit too quickly.

I looked again and eenabled debug logging in sssd and the pam service
that sftp uses is sshd. I think the suggestion to use groups for access
control looks like your best bet. You might want to suggest to the
openssh folks that a different pam service would be helpful.

rob

> 
> 
> 
> On Tue, May 16, 2023 at 4:06 PM Rob Crittenden  > wrote:
> 
> Kevin Vasko wrote:
> > Thanks Rob.
> >
> > ipa hbactest --user testaccount --host testsystem.example.com
> 
> > --service sftp
> > 
> > Access granted: True
> >
> > ipa hbactest --user testaccount --host testsystem.example.com
> 
> > --service sshd
> > 
> > Access granted: False
> >
> > So the HBAC works from FreeIPA...however when I actually put rubber to
> > the road
> >
> > "sftp testacco...@testsystem.example.com
> "
> > Password:
> > Connection closed by UNKNOWN port 65535
> > Connection closed.
> >
> > On the server it is denying it because it seems to be using sshd like
> > Ahti Seier mentioned.
> 
> You'd have to enable debugging in SSSD to see what is happening. I did
> the same and copied the pam sshd to sftp and it just worked for me,
> assuming I didn't screw something up.
> 
> rob
> 
> >
> >
> >
> > On Tue, May 16, 2023 at 12:56 PM Rob Crittenden
> mailto:rcrit...@redhat.com>
> > >> wrote:
> >
> >     Kevin Vasko via FreeIPA-users wrote:
> >     > Try to make this simple.
> >     >
> >     > Have a HBAC, have the "Who" set to a user, have the "Accessing"
> >     set to a
> >     > server.
> >     >
> >     > Have the "Via Service" set to "sshd". The user can ssh into
> the server
> >     > no issue.
> >     >
> >     > I want to limit this user to only being able to sftp into
> this server
> >     > (no direct ssh).
> >     >
> >     > If I swap the "Via Service" from the sshd service to sftp
> that user is
> >     > now denied. They cannot access the server via sftp or ssh. I
> would
> >     > expect it to deny ssh access but allow sftp.
> >     >
> >     > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it
> mentioned
> >     > here
> >     >
> >   
>  
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> >     > but that didn't seem to work.
> >     >
> >     > Can you point me to the instructions on how to make the HBAC
> work
> >     with a
> >     > particular service (e.g. sftp)?
> >
> >     I just tested this and it works fine for me. I had to create an
> >     allow_sshd HBAC rule which granted sshd access after I
> disabled the
> >     allow_all rule.
> >
> >     You can test your rules with:
> >     ipa hbactest --user admin --host replica.example.test
> --service sshd
> >
> >     and
> >
> >     ipa hbactest --user admin --host replica.example.test
> --service sftp
> >
> >     And replace user with whatever user can only access via sftp.
> It should
> >     fail for sshd.
> >
> >     It would help to see the output of these hbactest runs.
> >
> >     rob
> >
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Kevin Vasko via FreeIPA-users 
Rob, do you by chance maybe have sshd and sftp in your "Via Services"
permissions? If I have the sshd service enabled in my "Via services" then
"sftp" works for me as well, but it's still under the hood authenticating
with sshd even though I am trying to connect with the "sftp" command.
"pam_sss" in the logs show it's using sshd, even though I have
/etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this might have
something to do with "sftp" is actually using "sshd" to do the auth?

May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.127 user=exampleserver
May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access
denied for user testuser: 6 (Permission denied)



On Tue, May 16, 2023 at 4:06 PM Rob Crittenden  wrote:

> Kevin Vasko wrote:
> > Thanks Rob.
> >
> > ipa hbactest --user testaccount --host testsystem.example.com
> > --service sftp
> > 
> > Access granted: True
> >
> > ipa hbactest --user testaccount --host testsystem.example.com
> > --service sshd
> > 
> > Access granted: False
> >
> > So the HBAC works from FreeIPA...however when I actually put rubber to
> > the road
> >
> > "sftp testacco...@testsystem.example.com"
> > Password:
> > Connection closed by UNKNOWN port 65535
> > Connection closed.
> >
> > On the server it is denying it because it seems to be using sshd like
> > Ahti Seier mentioned.
>
> You'd have to enable debugging in SSSD to see what is happening. I did
> the same and copied the pam sshd to sftp and it just worked for me,
> assuming I didn't screw something up.
>
> rob
>
> >
> >
> >
> > On Tue, May 16, 2023 at 12:56 PM Rob Crittenden  > > wrote:
> >
> > Kevin Vasko via FreeIPA-users wrote:
> > > Try to make this simple.
> > >
> > > Have a HBAC, have the "Who" set to a user, have the "Accessing"
> > set to a
> > > server.
> > >
> > > Have the "Via Service" set to "sshd". The user can ssh into the
> server
> > > no issue.
> > >
> > > I want to limit this user to only being able to sftp into this
> server
> > > (no direct ssh).
> > >
> > > If I swap the "Via Service" from the sshd service to sftp that
> user is
> > > now denied. They cannot access the server via sftp or ssh. I would
> > > expect it to deny ssh access but allow sftp.
> > >
> > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it
> mentioned
> > > here
> > >
> >
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> > > but that didn't seem to work.
> > >
> > > Can you point me to the instructions on how to make the HBAC work
> > with a
> > > particular service (e.g. sftp)?
> >
> > I just tested this and it works fine for me. I had to create an
> > allow_sshd HBAC rule which granted sshd access after I disabled the
> > allow_all rule.
> >
> > You can test your rules with:
> > ipa hbactest --user admin --host replica.example.test --service sshd
> >
> > and
> >
> > ipa hbactest --user admin --host replica.example.test --service sftp
> >
> > And replace user with whatever user can only access via sftp. It
> should
> > fail for sshd.
> >
> > It would help to see the output of these hbactest runs.
> >
> > rob
> >
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Kevin Vasko via FreeIPA-users 
Thanks Rob.

ipa hbactest --user testaccount --host testsystem.example.com --service sftp

Access granted: True

ipa hbactest --user testaccount --host testsystem.example.com --service sshd

Access granted: False

So the HBAC works from FreeIPA...however when I actually put rubber to the
road

"sftp testacco...@testsystem.example.com"
Password:
Connection closed by UNKNOWN port 65535
Connection closed.

On the server it is denying it because it seems to be using sshd like Ahti
Seier mentioned.



On Tue, May 16, 2023 at 12:56 PM Rob Crittenden  wrote:

> Kevin Vasko via FreeIPA-users wrote:
> > Try to make this simple.
> >
> > Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> > server.
> >
> > Have the "Via Service" set to "sshd". The user can ssh into the server
> > no issue.
> >
> > I want to limit this user to only being able to sftp into this server
> > (no direct ssh).
> >
> > If I swap the "Via Service" from the sshd service to sftp that user is
> > now denied. They cannot access the server via sftp or ssh. I would
> > expect it to deny ssh access but allow sftp.
> >
> > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
> > here
> >
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> > but that didn't seem to work.
> >
> > Can you point me to the instructions on how to make the HBAC work with a
> > particular service (e.g. sftp)?
>
> I just tested this and it works fine for me. I had to create an
> allow_sshd HBAC rule which granted sshd access after I disabled the
> allow_all rule.
>
> You can test your rules with:
> ipa hbactest --user admin --host replica.example.test --service sshd
>
> and
>
> ipa hbactest --user admin --host replica.example.test --service sftp
>
> And replace user with whatever user can only access via sftp. It should
> fail for sshd.
>
> It would help to see the output of these hbactest runs.
>
> rob
>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Rob Crittenden via FreeIPA-users 
Kevin Vasko via FreeIPA-users wrote:
> Try to make this simple.
> 
> Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> server.
> 
> Have the "Via Service" set to "sshd". The user can ssh into the server
> no issue.
> 
> I want to limit this user to only being able to sftp into this server
> (no direct ssh).
> 
> If I swap the "Via Service" from the sshd service to sftp that user is
> now denied. They cannot access the server via sftp or ssh. I would
> expect it to deny ssh access but allow sftp.
> 
> I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
> here
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> but that didn't seem to work.
> 
> Can you point me to the instructions on how to make the HBAC work with a
> particular service (e.g. sftp)?

I just tested this and it works fine for me. I had to create an
allow_sshd HBAC rule which granted sshd access after I disabled the
allow_all rule.

You can test your rules with:
ipa hbactest --user admin --host replica.example.test --service sshd

and

ipa hbactest --user admin --host replica.example.test --service sftp

And replace user with whatever user can only access via sftp. It should
fail for sshd.

It would help to see the output of these hbactest runs.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: sftp HBAC

2023-05-16 Thread Ahti Seier via FreeIPA-users 
I don't think this can be done easily

  The way pam works is the program (sshd in this case) starts the pam
context with a specific name. Looking at sshd source it seems this is
__progname for sshd which should be the basename of the executable. There
does not seem to be a separate authentication stack for sftp part
specifically. So it does not matter if you create a pam.d/sftp
configuration as sshd is not programmed to look for it.

  sshd can however be configured to limit ssh access and allow sftp based
on a users group. So this could be achieved by having the sftp only users
in a specific user group.

Kontakt Kevin Vasko via FreeIPA-users ()
kirjutas kuupäeval T, 16. mai 2023 kell 19:45:

> Try to make this simple.
>
> Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> server.
>
> Have the "Via Service" set to "sshd". The user can ssh into the server no
> issue.
>
> I want to limit this user to only being able to sftp into this server (no
> direct ssh).
>
> If I swap the "Via Service" from the sshd service to sftp that user is now
> denied. They cannot access the server via sftp or ssh. I would expect it to
> deny ssh access but allow sftp.
>
> I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> but that didn't seem to work.
>
> Can you point me to the instructions on how to make the HBAC work with a
> particular service (e.g. sftp)?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue