Kevin Vasko wrote:
Rob, do you by chance maybe have sshd and sftp in your "Via Services" permissions? If I have the sshd service enabled in my "Via services" then "sftp" works for me as well, but it's still under the hood authenticating with sshd even though I am trying to connect with the "sftp" command. "pam_sss" in the logs show it's using sshd, even though I have /etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this might have something to do with "sftp" is actually using "sshd" to do the auth?
May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.127 user=exampleserver May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access denied for user testuser: 6 (Permission denied)
So yeah, I think I did my testing a bit too quickly.
I looked again and eenabled debug logging in sssd and the pam service that sftp uses is sshd. I think the suggestion to use groups for access control looks like your best bet. You might want to suggest to the openssh folks that a different pam service would be helpful.
rob
On Tue, May 16, 2023 at 4:06 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kevin Vasko wrote: > Thanks Rob. > > ipa hbactest --user testaccount --host testsystem.example.com <http://testsystem.example.com> > --service sftp > -------------------- > Access granted: True > > ipa hbactest --user testaccount --host testsystem.example.com <http://testsystem.example.com> > --service sshd > -------------------- > Access granted: False > > So the HBAC works from FreeIPA...however when I actually put rubber to > the road > > "sftp testaccount@testsystem.example.com <mailto:testaccount@testsystem.example.com>" > Password: > Connection closed by UNKNOWN port 65535 > Connection closed. > > On the server it is denying it because it seems to be using sshd like > Ahti Seier mentioned. You'd have to enable debugging in SSSD to see what is happening. I did the same and copied the pam sshd to sftp and it just worked for me, assuming I didn't screw something up. rob > > > > On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Kevin Vasko via FreeIPA-users wrote: > > Try to make this simple. > > > > Have a HBAC, have the "Who" set to a user, have the "Accessing" > set to a > > server. > > > > Have the "Via Service" set to "sshd". The user can ssh into the server > > no issue. > > > > I want to limit this user to only being able to sftp into this server > > (no direct ssh). > > > > If I swap the "Via Service" from the sshd service to sftp that user is > > now denied. They cannot access the server via sftp or ssh. I would > > expect it to deny ssh access but allow sftp. > > > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned > > here > > > https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed > > but that didn't seem to work. > > > > Can you point me to the instructions on how to make the HBAC work > with a > > particular service (e.g. sftp)? > > I just tested this and it works fine for me. I had to create an > allow_sshd HBAC rule which granted sshd access after I disabled the > allow_all rule. > > You can test your rules with: > ipa hbactest --user admin --host replica.example.test --service sshd > > and > > ipa hbactest --user admin --host replica.example.test --service sftp > > And replace user with whatever user can only access via sftp. It should > fail for sshd. > > It would help to see the output of these hbactest runs. > > rob >