Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems
On Mon, 30 Nov 2015, Alexander Skwar wrote: Hello Alexander ;) 2015-11-30 10:38 GMT+01:00 Alexander Bokovoy : HBAC is enforced by SSSD over PAM. All you need to ensure is that an application (sshd in this case) uses PAM. Then you setup HBAC rules, disable allow_all rule, and then SSSD will verify rules on logon via sshd, checking all rules for service 'sshd' and applying to this host (via hostgroup or to all hosts). Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also change the "default" behaviour? I mean, by default, everything will be allowed for everyone on every system. When I deactivate the allow_all - won't that mean, that nothing will be allowed for everyone on all systems? Yes. HBAC system is built around a simple principle: everything is denied unless allowed explicitly with specific rules. We supply 'allow_all' rule for defaults and it is your duty to create HBAC rules which suit your deployment needs. Playing with the HBAC Test thingie in the web interface seems to imply that. And because of that, I now have 3 rules: 1) allow_all_but_ssh 2) ssh_prod 3) ssh_test 1) Who: Anyone, Accessing: Any host, Via Service: Selected every service, but not sshd 2) Who: User groups: ops, Accessing: Host groups: prod, Via service: sshd 3) Who: Anyone, Accessing: Host groups: test, Via service: sshd That's somewhat fine, but I dislike the "allow_all_but_ssh" rule there. Reason: I manually have to select every service and remove sshd. But if a new service were to be added, I'd have to remember to add it there as well. Not cool. Even more so, because I'm not the only admin. Colleagues would have to know this as well. Not cool². Somehow I'm missing "deny"-rules, I think. Nice to have allow rules, but I'm rather looking for a way to deny something :/ Don't know, but that seems to be too complicated. Or is that really the way to do that? Deny rules complicate things a lot, really. You can create a service group that includes all your services but sshd and assign that service group to allow rule. Maintaining a service group is less problematic than looking into what rules deny/allow. Consider also the contextual problem of what to do if HBAC rules become unavailable -- should the unavailability of deny rule be treated as allow or not? We chose to define deny by default and add allow rules on top of it. All this is covered in IPA documentation. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/configuring-host-access.html -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems
On Mon, Nov 30, 2015 at 11:18:15AM +0100, Alexander Skwar wrote: > > Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also > change the "default" behaviour? I mean, by default, everything will > be allowed for everyone on every system. No. > When I deactivate the allow_all - won't that mean, that nothing will > be allowed for everyone on all systems? That's right, nothing will be allowed. Disabling allow_all has the potential of making everything stop working. You need to plan carefully and replace the allow_all with tailored rules. For example, see http://www.freeipa.org/page/Howto/HBAC_and_allow_all -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems
Hello Alexander ;) 2015-11-30 10:38 GMT+01:00 Alexander Bokovoy : > HBAC is enforced by SSSD over PAM. All you need to ensure is that an > application (sshd in this case) uses PAM. Then you setup HBAC rules, > disable allow_all rule, and then SSSD will verify rules on logon via > sshd, checking all rules for service 'sshd' and applying to this host > (via hostgroup or to all hosts). Hm, okay. But when I deactivate the "allow_all" rule, doesn't that also change the "default" behaviour? I mean, by default, everything will be allowed for everyone on every system. When I deactivate the allow_all - won't that mean, that nothing will be allowed for everyone on all systems? Playing with the HBAC Test thingie in the web interface seems to imply that. And because of that, I now have 3 rules: 1) allow_all_but_ssh 2) ssh_prod 3) ssh_test 1) Who: Anyone, Accessing: Any host, Via Service: Selected every service, but not sshd 2) Who: User groups: ops, Accessing: Host groups: prod, Via service: sshd 3) Who: Anyone, Accessing: Host groups: test, Via service: sshd That's somewhat fine, but I dislike the "allow_all_but_ssh" rule there. Reason: I manually have to select every service and remove sshd. But if a new service were to be added, I'd have to remember to add it there as well. Not cool. Even more so, because I'm not the only admin. Colleagues would have to know this as well. Not cool². Somehow I'm missing "deny"-rules, I think. Nice to have allow rules, but I'm rather looking for a way to deny something :/ Don't know, but that seems to be too complicated. Or is that really the way to do that? Thanks a lot, Alexander -- =>Google+ => http://plus.skwar.me <== => Chat (Jabber/Google Talk) => a.sk...@gmail.com <== -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] HBAC - Limit SSH access to "test" systems
On Mon, 30 Nov 2015, Alexander Skwar wrote: Hello I'm trying to setup our FreeIPA 4.1.0 (RHEL 7) servers with Ubuntu 14.04 FreeIPA 3.3.4 clients so, that users in a user group called "customers" can only access hosts, which are in a host group called "test". Users from the user group "ops" should be able to access all systems (ie. "prod" systems and also those "test" systems). But I cannot get my head around to create proper HBAC rules/setup… Could somebody maybe lend me a helping hand? At the moment, I have set it up so, that I modified the "prod" systems sshd_config and added "DenyGroups customer" there. On the test systems, I don't have that line. That works, but it's not using IPA (in a sense… I do have to modify the hosts configuration on the system, which I dislike. Granted, with Chef, it's not much, but still *G*). HBAC is enforced by SSSD over PAM. All you need to ensure is that an application (sshd in this case) uses PAM. Then you setup HBAC rules, disable allow_all rule, and then SSSD will verify rules on logon via sshd, checking all rules for service 'sshd' and applying to this host (via hostgroup or to all hosts). -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project