Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
On 07/11/2013 11:39 PM, KodaK wrote: This only works for sshd, obviously. We do currently have ftp and telnet open (yeah, I know) but I'm trying to get those turned off. In the meantime I can use tcp-wrappers to only allow those machines that need to connect. This is sub-optimal, since unauthorized users may be able to telnet in from those machines. tcp wrappers support netgroups (iirc), you could use that too (you cannot mix hosts and users though, so you should create netgroups of users. -- groet, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
On Thu, Jul 11, 2013 at 5:19 PM, Dmitri Pal d...@redhat.com wrote: I am not good with ldap syntax but SQL natural for me so conceptually the search would look like this: I don't think it's humanly possible to be good at ldap syntax. I hope it conveys what I have in mind. The result of such search would be a list of group members that have access to the host. This is pretty close to what you have done except it covers nested groups too and uses HBAC rules. I haven't had any luck with nested groups at all anyway, so I avoid using them. I may give this idea some more thought. Thanks. Private. I made a typo. It should have been V :-) Ah, ok. :) -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
On Fri, Jul 12, 2013 at 7:31 AM, natxo asenjo natxo.ase...@gmail.comwrote: tcp wrappers support netgroups (iirc), you could use that too (you cannot mix hosts and users though, so you should create netgroups of users. I haven't used tcp wrappers in years, and I never knew it supported netgroups. That's great to know, thanks! -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
On 07/11/2013 05:39 PM, KodaK wrote: Just thought I'd pass along my work-around. I create a group for each host called hostname-access and populate each group with the users allowed to connect. Then, using puppet, I push out an sshd_config that has AllowGroups: admins unixadmins hostname-access. The erb is: AllowGroups: admins unixadmins %= host %-access Then restart sshd. This is a lot of up-front work, but seems to be the easiest to maintain in the long run (at least until we can get AIX to honor HBAC rules.) Unfortunately, I can't have groups of groups -- that would make initial setup even easier -- but I'm used to not having everything, as you can see. :) This only works for sshd, obviously. We do currently have ftp and telnet open (yeah, I know) but I'm trying to get those turned off. In the meantime I can use tcp-wrappers to only allow those machines that need to connect. This is sub-optimal, since unauthorized users may be able to telnet in from those machines. Well it is something like this that I had in mind. But you have beaten me... Great to see you found an acceptable solution. --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden rcrit...@redhat.com wrote: HBAC is enforced by sssd, so no sssd, no HBAC. I think you need to use pam_access to limit users in AIX. I have some work-arounds now, but I'd like to find a way to automate them. What I need is a way to ask IPA who is allowed to access this particular server? The goal is go just get a list of allowed users, then there are various mechanisms I can employ to allow access to only the listed users. I plan to do this from the puppet master so I can push the configs from there. I have ipa-admintools and openldap-clients installed on the puppet master. Right now I'm iterating through all the hbacrules and grepping for the server in question, then getting the details of that rule. This is a lot of requests. -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules
KodaK wrote: We've just discovered that AIX does not honor HBAC rules with telnet. ssh is fine. [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com --service=sshd - Access granted: False - There was no telnet service by default, I created one (but I'm not sure I did so correctly.) [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com --service=telnet - Access granted: False - [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com Service: any - Access granted: False - [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com --service=login - Access granted: False - But: [jebalicki@mo0033802 ~]$ telnet sla765q1 Trying 10.200.5.137... Connected to sla765q1. Escape character is '^]'. telnet (sla765q1.unix.magellanhealth.com http://sla765q1.unix.magellanhealth.com) [login banner and blank lines removed] AIX Version 6 Copyright IBM Corporation, 1982, 2011. login: testuser testuser's Password: -bash-3.2$ logout Connection closed by foreign host. AIX was configured with standard authentication at first: r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent Standard Aix But I changed that to add kerberos: r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent Kerberos 5 Standard Aix However, all that does is cause kerberos to timeout on the invalid user and then fall back to allowing the user in anyway. I'm still investigating to see if this is an implementation problem, or if AIX is just incapable of this. I continue to lobby for turning off telnet, but there is political pressure to keep it open. Anyone have any ideas for things I could try? HBAC is enforced by sssd, so no sssd, no HBAC. I think you need to use pam_access to limit users in AIX. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users