[Freeipa-users] Re: restricting shells

2018-01-26 Thread Charles Hedrick via FreeIPA-users 
to do that you’d need some kind of mapping facility. Without modifying sssd I’d 
suggest symbolic links.

I thought /bin/shell worked everywhere. It’s /usr/bin that may or may not.

On Jan 26, 2018, at 1:16 PM, Mike Kelly via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:


Hrm, is there any provision for different paths for the same shell on different 
platforms? (E.g. bash on Linux vs FreeBSD)

On Fri, Jan 26, 2018, 1:04 PM Charles Hedrick via FreeIPA-users 
mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:
Turns out there is a way. It seems to be a recent addition, as it wasn’t in the 
documentation I looked at originally.

[nss]
allowed_shells = *
shell_fallback = /bin/bash

The semantics of allowed_shells is kind of interesting.
* any shell in /etc/shells is OK
* any shell is allowed_shells but not in /etc/shells get replaced by the 
fallback
* if allowed_shells isn’t set, any shell is used, even if it doesn’t exist

So setting allowed_shells to * does what you’d want: any shell in /etc/shells 
is OK. Otherwise you getter the fallback.

* as a possible value is relatively new.

This is really what I’d expect default behavior to be if allowed_shells isn’t 
set.


> On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users 
> mailto:freeipa-users@lists.fedorahosted.org>>
>  wrote:
>
> Rob Crittenden via FreeIPA-users 
> mailto:freeipa-users@lists.fedorahosted.org>>
> writes:
>
>> Charles Hedrick via FreeIPA-users wrote:
>>
>>> One of my staff made a typo in his shell in “ipa user-mod —shell” It
>>> can be hard to recover from, since you can’t login.
>>>
>>> Is there a way to restrict what they can use? Traditionally only
>>> shells in /etc/shells were valid.
>>
>> There is no way currently.
>>
>> Note that part of the problem is which /etc/shells to use? Remember
>> that IPA is centralized and users may be using a number of different
>> operating systems. This is why the default shell is /bin/sh, because
>> it is nearly universal.
>
> At the very least, it would be good to restrict it to /etc/shells on the
> current machine.  Doesn't cover everything, but it's an improvement.
>
> Thanks,
> --Robbie
> ___
> FreeIPA-users mailing list -- 
> freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org


--

Mike Kelly

___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: restricting shells

2018-01-26 Thread Mike Kelly via FreeIPA-users 
Hrm, is there any provision for different paths for the same shell on
different platforms? (E.g. bash on Linux vs FreeBSD)

On Fri, Jan 26, 2018, 1:04 PM Charles Hedrick via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Turns out there is a way. It seems to be a recent addition, as it wasn’t
> in the documentation I looked at originally.
>
> [nss]
> allowed_shells = *
> shell_fallback = /bin/bash
>
> The semantics of allowed_shells is kind of interesting.
> * any shell in /etc/shells is OK
> * any shell is allowed_shells but not in /etc/shells get replaced by the
> fallback
> * if allowed_shells isn’t set, any shell is used, even if it doesn’t exist
>
> So setting allowed_shells to * does what you’d want: any shell in
> /etc/shells is OK. Otherwise you getter the fallback.
>
> * as a possible value is relatively new.
>
> This is really what I’d expect default behavior to be if allowed_shells
> isn’t set.
>
>
> > On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
> >
> > Rob Crittenden via FreeIPA-users 
> > writes:
> >
> >> Charles Hedrick via FreeIPA-users wrote:
> >>
> >>> One of my staff made a typo in his shell in “ipa user-mod —shell” It
> >>> can be hard to recover from, since you can’t login.
> >>>
> >>> Is there a way to restrict what they can use? Traditionally only
> >>> shells in /etc/shells were valid.
> >>
> >> There is no way currently.
> >>
> >> Note that part of the problem is which /etc/shells to use? Remember
> >> that IPA is centralized and users may be using a number of different
> >> operating systems. This is why the default shell is /bin/sh, because
> >> it is nearly universal.
> >
> > At the very least, it would be good to restrict it to /etc/shells on the
> > current machine.  Doesn't cover everything, but it's an improvement.
> >
> > Thanks,
> > --Robbie
> > ___
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>


-- 

Mike Kelly
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: restricting shells

2018-01-26 Thread Charles Hedrick via FreeIPA-users 
Turns out there is a way. It seems to be a recent addition, as it wasn’t in the 
documentation I looked at originally.

[nss]
allowed_shells = *
shell_fallback = /bin/bash

The semantics of allowed_shells is kind of interesting. 
* any shell in /etc/shells is OK
* any shell is allowed_shells but not in /etc/shells get replaced by the 
fallback
* if allowed_shells isn’t set, any shell is used, even if it doesn’t exist

So setting allowed_shells to * does what you’d want: any shell in /etc/shells 
is OK. Otherwise you getter the fallback.

* as a possible value is relatively new.

This is really what I’d expect default behavior to be if allowed_shells isn’t 
set.


> On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users 
>  wrote:
> 
> Rob Crittenden via FreeIPA-users 
> writes:
> 
>> Charles Hedrick via FreeIPA-users wrote:
>> 
>>> One of my staff made a typo in his shell in “ipa user-mod —shell” It
>>> can be hard to recover from, since you can’t login.
>>> 
>>> Is there a way to restrict what they can use? Traditionally only
>>> shells in /etc/shells were valid.
>> 
>> There is no way currently.
>> 
>> Note that part of the problem is which /etc/shells to use? Remember
>> that IPA is centralized and users may be using a number of different
>> operating systems. This is why the default shell is /bin/sh, because
>> it is nearly universal.
> 
> At the very least, it would be good to restrict it to /etc/shells on the
> current machine.  Doesn't cover everything, but it's an improvement.
> 
> Thanks,
> --Robbie
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: restricting shells

2018-01-26 Thread Robbie Harwood via FreeIPA-users 
Rob Crittenden via FreeIPA-users 
writes:

> Charles Hedrick via FreeIPA-users wrote:
>
>> One of my staff made a typo in his shell in “ipa user-mod —shell” It
>> can be hard to recover from, since you can’t login.
>> 
>> Is there a way to restrict what they can use? Traditionally only
>> shells in /etc/shells were valid.
>
> There is no way currently.
>
> Note that part of the problem is which /etc/shells to use? Remember
> that IPA is centralized and users may be using a number of different
> operating systems. This is why the default shell is /bin/sh, because
> it is nearly universal.

At the very least, it would be good to restrict it to /etc/shells on the
current machine.  Doesn't cover everything, but it's an improvement.

Thanks,
--Robbie


signature.asc
Description: PGP signature
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: restricting shells

2018-01-25 Thread Rob Crittenden via FreeIPA-users 
Charles Hedrick via FreeIPA-users wrote:
> given the way sssd is designed, if we could restrict in IPA to a list, sssd 
> could map anything that’s not on the local system to a fallback. But sssd 
> isn’t set up so that random typos can get mapped to a fallback.

It is probably best to prevent bad data from getting in the entry in the
first place. A fallback would be nice though.

rob

> 
>> On Jan 25, 2018, at 3:17 PM, Charles Hedrick via FreeIPA-users 
>>  wrote:
>>
>> ugh. valid_shells is carefully designed so it can’t be used for this. But 
>> doing it in sshd is probably the right answer.
>>
>>> On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users 
>>>  wrote:
>>>
>>> looks like the real solution is valid_shells in sssd.conf. That will 
>>> prevent people from damaging themselves.
>>>
 On Jan 25, 2018, at 3:12 PM, Rob Crittenden  wrote:

 Charles Hedrick via FreeIPA-users wrote:
> One of my staff made a typo in his shell in “ipa user-mod —shell” It can 
> be hard to recover from, since you can’t login.
>
> Is there a way to restrict what they can use? Traditionally only shells 
> in /etc/shells were valid.

 There is no way currently.

 Note that part of the problem is which /etc/shells to use? Remember that
 IPA is centralized and users may be using a number of different
 operating systems. This is why the default shell is /bin/sh, because it
 is nearly universal.

 It probably isn't a ton of work to add a new config option to provide a
 set of valid shells so feel free to file an RFE I just don't know that
 this sort of thing would be prioritized.

 We could probably help if you want to contribute something.

 rob
>>>
>>> ___
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: restricting shells

2018-01-25 Thread Charles Hedrick via FreeIPA-users 
given the way sssd is designed, if we could restrict in IPA to a list, sssd 
could map anything that’s not on the local system to a fallback. But sssd isn’t 
set up so that random typos can get mapped to a fallback.

> On Jan 25, 2018, at 3:17 PM, Charles Hedrick via FreeIPA-users 
>  wrote:
> 
> ugh. valid_shells is carefully designed so it can’t be used for this. But 
> doing it in sshd is probably the right answer.
> 
>> On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users 
>>  wrote:
>> 
>> looks like the real solution is valid_shells in sssd.conf. That will prevent 
>> people from damaging themselves.
>> 
>>> On Jan 25, 2018, at 3:12 PM, Rob Crittenden  wrote:
>>> 
>>> Charles Hedrick via FreeIPA-users wrote:
 One of my staff made a typo in his shell in “ipa user-mod —shell” It can 
 be hard to recover from, since you can’t login.
 
 Is there a way to restrict what they can use? Traditionally only shells in 
 /etc/shells were valid.
>>> 
>>> There is no way currently.
>>> 
>>> Note that part of the problem is which /etc/shells to use? Remember that
>>> IPA is centralized and users may be using a number of different
>>> operating systems. This is why the default shell is /bin/sh, because it
>>> is nearly universal.
>>> 
>>> It probably isn't a ton of work to add a new config option to provide a
>>> set of valid shells so feel free to file an RFE I just don't know that
>>> this sort of thing would be prioritized.
>>> 
>>> We could probably help if you want to contribute something.
>>> 
>>> rob
>> 
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: restricting shells

2018-01-25 Thread Charles Hedrick via FreeIPA-users 
ugh. valid_shells is carefully designed so it can’t be used for this. But doing 
it in sshd is probably the right answer.

> On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users 
>  wrote:
> 
> looks like the real solution is valid_shells in sssd.conf. That will prevent 
> people from damaging themselves.
> 
>> On Jan 25, 2018, at 3:12 PM, Rob Crittenden  wrote:
>> 
>> Charles Hedrick via FreeIPA-users wrote:
>>> One of my staff made a typo in his shell in “ipa user-mod —shell” It can be 
>>> hard to recover from, since you can’t login.
>>> 
>>> Is there a way to restrict what they can use? Traditionally only shells in 
>>> /etc/shells were valid.
>> 
>> There is no way currently.
>> 
>> Note that part of the problem is which /etc/shells to use? Remember that
>> IPA is centralized and users may be using a number of different
>> operating systems. This is why the default shell is /bin/sh, because it
>> is nearly universal.
>> 
>> It probably isn't a ton of work to add a new config option to provide a
>> set of valid shells so feel free to file an RFE I just don't know that
>> this sort of thing would be prioritized.
>> 
>> We could probably help if you want to contribute something.
>> 
>> rob
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: restricting shells

2018-01-25 Thread Charles Hedrick via FreeIPA-users 
looks like the real solution is valid_shells in sssd.conf. That will prevent 
people from damaging themselves.

> On Jan 25, 2018, at 3:12 PM, Rob Crittenden  wrote:
> 
> Charles Hedrick via FreeIPA-users wrote:
>> One of my staff made a typo in his shell in “ipa user-mod —shell” It can be 
>> hard to recover from, since you can’t login.
>> 
>> Is there a way to restrict what they can use? Traditionally only shells in 
>> /etc/shells were valid.
> 
> There is no way currently.
> 
> Note that part of the problem is which /etc/shells to use? Remember that
> IPA is centralized and users may be using a number of different
> operating systems. This is why the default shell is /bin/sh, because it
> is nearly universal.
> 
> It probably isn't a ton of work to add a new config option to provide a
> set of valid shells so feel free to file an RFE I just don't know that
> this sort of thing would be prioritized.
> 
> We could probably help if you want to contribute something.
> 
> rob

___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: restricting shells

2018-01-25 Thread Rob Crittenden via FreeIPA-users 
Charles Hedrick via FreeIPA-users wrote:
> One of my staff made a typo in his shell in “ipa user-mod —shell” It can be 
> hard to recover from, since you can’t login.
> 
> Is there a way to restrict what they can use? Traditionally only shells in 
> /etc/shells were valid.

There is no way currently.

Note that part of the problem is which /etc/shells to use? Remember that
IPA is centralized and users may be using a number of different
operating systems. This is why the default shell is /bin/sh, because it
is nearly universal.

It probably isn't a ton of work to add a new config option to provide a
set of valid shells so feel free to file an RFE I just don't know that
this sort of thing would be prioritized.

We could probably help if you want to contribute something.

rob
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org