Try to make this simple.
Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a server.
Have the "Via Service" set to "sshd". The user can ssh into the server no issue.
I want to limit this user to only being able to sftp into this server (no direct ssh).
If I swap the "Via Service" from the sshd service to sftp that user is now denied. They cannot access the server via sftp or ssh. I would expect it to deny ssh access but allow sftp.
I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despi... but that didn't seem to work.
Can you point me to the instructions on how to make the HBAC work with a particular service (e.g. sftp)?
I don't think this can be done easily
The way pam works is the program (sshd in this case) starts the pam context with a specific name. Looking at sshd source it seems this is __progname for sshd which should be the basename of the executable. There does not seem to be a separate authentication stack for sftp part specifically. So it does not matter if you create a pam.d/sftp configuration as sshd is not programmed to look for it.
sshd can however be configured to limit ssh access and allow sftp based on a users group. So this could be achieved by having the sftp only users in a specific user group.
Kontakt Kevin Vasko via FreeIPA-users (freeipa-users@lists.fedorahosted.org) kirjutas kuupäeval T, 16. mai 2023 kell 19:45:
Try to make this simple.
Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a server.
Have the "Via Service" set to "sshd". The user can ssh into the server no issue.
I want to limit this user to only being able to sftp into this server (no direct ssh).
If I swap the "Via Service" from the sshd service to sftp that user is now denied. They cannot access the server via sftp or ssh. I would expect it to deny ssh access but allow sftp.
I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despi... but that didn't seem to work.
Can you point me to the instructions on how to make the HBAC work with a particular service (e.g. sftp)? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Kevin Vasko via FreeIPA-users wrote:
Try to make this simple.
Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a server.
Have the "Via Service" set to "sshd". The user can ssh into the server no issue.
I want to limit this user to only being able to sftp into this server (no direct ssh).
If I swap the "Via Service" from the sshd service to sftp that user is now denied. They cannot access the server via sftp or ssh. I would expect it to deny ssh access but allow sftp.
I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despi... but that didn't seem to work.
Can you point me to the instructions on how to make the HBAC work with a particular service (e.g. sftp)?
I just tested this and it works fine for me. I had to create an allow_sshd HBAC rule which granted sshd access after I disabled the allow_all rule.
You can test your rules with: ipa hbactest --user admin --host replica.example.test --service sshd
and
ipa hbactest --user admin --host replica.example.test --service sftp
And replace user with whatever user can only access via sftp. It should fail for sshd.
It would help to see the output of these hbactest runs.
rob
Thanks Rob.
ipa hbactest --user testaccount --host testsystem.example.com --service sftp -------------------- Access granted: True
ipa hbactest --user testaccount --host testsystem.example.com --service sshd -------------------- Access granted: False
So the HBAC works from FreeIPA...however when I actually put rubber to the road
"sftp testaccount@testsystem.example.com" Password: Connection closed by UNKNOWN port 65535 Connection closed.
On the server it is denying it because it seems to be using sshd like Ahti Seier mentioned.
On Tue, May 16, 2023 at 12:56 PM Rob Crittenden rcritten@redhat.com wrote:
Kevin Vasko via FreeIPA-users wrote:
Try to make this simple.
Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a server.
Have the "Via Service" set to "sshd". The user can ssh into the server no issue.
I want to limit this user to only being able to sftp into this server (no direct ssh).
If I swap the "Via Service" from the sshd service to sftp that user is now denied. They cannot access the server via sftp or ssh. I would expect it to deny ssh access but allow sftp.
I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despi...
but that didn't seem to work.
Can you point me to the instructions on how to make the HBAC work with a particular service (e.g. sftp)?
I just tested this and it works fine for me. I had to create an allow_sshd HBAC rule which granted sshd access after I disabled the allow_all rule.
You can test your rules with: ipa hbactest --user admin --host replica.example.test --service sshd
and
ipa hbactest --user admin --host replica.example.test --service sftp
And replace user with whatever user can only access via sftp. It should fail for sshd.
It would help to see the output of these hbactest runs.
rob
Kevin Vasko wrote:
Thanks Rob.
ipa hbactest --user testaccount --host testsystem.example.com
--service sftp
Access granted: True
ipa hbactest --user testaccount --host testsystem.example.com
--service sshd
Access granted: False
So the HBAC works from FreeIPA...however when I actually put rubber to the road
"sftp testaccount@testsystem.example.com" Password: Connection closed by UNKNOWN port 65535 Connection closed.
On the server it is denying it because it seems to be using sshd like Ahti Seier mentioned.
You'd have to enable debugging in SSSD to see what is happening. I did the same and copied the pam sshd to sftp and it just worked for me, assuming I didn't screw something up.
rob
On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kevin Vasko via FreeIPA-users wrote: > Try to make this simple. > > Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a > server. > > Have the "Via Service" set to "sshd". The user can ssh into the server > no issue. > > I want to limit this user to only being able to sftp into this server > (no direct ssh). > > If I swap the "Via Service" from the sshd service to sftp that user is > now denied. They cannot access the server via sftp or ssh. I would > expect it to deny ssh access but allow sftp. > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned > here > https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed > but that didn't seem to work. > > Can you point me to the instructions on how to make the HBAC work with a > particular service (e.g. sftp)? I just tested this and it works fine for me. I had to create an allow_sshd HBAC rule which granted sshd access after I disabled the allow_all rule. You can test your rules with: ipa hbactest --user admin --host replica.example.test --service sshd and ipa hbactest --user admin --host replica.example.test --service sftp And replace user with whatever user can only access via sftp. It should fail for sshd. It would help to see the output of these hbactest runs. rob
Rob, do you by chance maybe have sshd and sftp in your "Via Services" permissions? If I have the sshd service enabled in my "Via services" then "sftp" works for me as well, but it's still under the hood authenticating with sshd even though I am trying to connect with the "sftp" command. "pam_sss" in the logs show it's using sshd, even though I have /etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this might have something to do with "sftp" is actually using "sshd" to do the auth?
May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.127 user=exampleserver May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access denied for user testuser: 6 (Permission denied)
On Tue, May 16, 2023 at 4:06 PM Rob Crittenden rcritten@redhat.com wrote:
Kevin Vasko wrote:
Thanks Rob.
ipa hbactest --user testaccount --host testsystem.example.com
--service sftp
Access granted: True
ipa hbactest --user testaccount --host testsystem.example.com
--service sshd
Access granted: False
So the HBAC works from FreeIPA...however when I actually put rubber to the road
"sftp testaccount@testsystem.example.com" Password: Connection closed by UNKNOWN port 65535 Connection closed.
On the server it is denying it because it seems to be using sshd like Ahti Seier mentioned.
You'd have to enable debugging in SSSD to see what is happening. I did the same and copied the pam sshd to sftp and it just worked for me, assuming I didn't screw something up.
rob
On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kevin Vasko via FreeIPA-users wrote: > Try to make this simple. > > Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a > server. > > Have the "Via Service" set to "sshd". The user can ssh into the
server
> no issue. > > I want to limit this user to only being able to sftp into this
server
> (no direct ssh). > > If I swap the "Via Service" from the sshd service to sftp that
user is
> now denied. They cannot access the server via sftp or ssh. I would > expect it to deny ssh access but allow sftp. > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it
mentioned
> here >
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despi...
> but that didn't seem to work. > > Can you point me to the instructions on how to make the HBAC work with a > particular service (e.g. sftp)? I just tested this and it works fine for me. I had to create an allow_sshd HBAC rule which granted sshd access after I disabled the allow_all rule. You can test your rules with: ipa hbactest --user admin --host replica.example.test --service sshd and ipa hbactest --user admin --host replica.example.test --service sftp And replace user with whatever user can only access via sftp. It
should
fail for sshd. It would help to see the output of these hbactest runs. rob
Kevin Vasko wrote:
Rob, do you by chance maybe have sshd and sftp in your "Via Services" permissions? If I have the sshd service enabled in my "Via services" then "sftp" works for me as well, but it's still under the hood authenticating with sshd even though I am trying to connect with the "sftp" command. "pam_sss" in the logs show it's using sshd, even though I have /etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this might have something to do with "sftp" is actually using "sshd" to do the auth?
May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.127 user=exampleserver May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access denied for user testuser: 6 (Permission denied)
So yeah, I think I did my testing a bit too quickly.
I looked again and eenabled debug logging in sssd and the pam service that sftp uses is sshd. I think the suggestion to use groups for access control looks like your best bet. You might want to suggest to the openssh folks that a different pam service would be helpful.
rob
On Tue, May 16, 2023 at 4:06 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Kevin Vasko wrote: > Thanks Rob. > > ipa hbactest --user testaccount --host testsystem.example.com <http://testsystem.example.com> > --service sftp > -------------------- > Access granted: True > > ipa hbactest --user testaccount --host testsystem.example.com <http://testsystem.example.com> > --service sshd > -------------------- > Access granted: False > > So the HBAC works from FreeIPA...however when I actually put rubber to > the road > > "sftp testaccount@testsystem.example.com <mailto:testaccount@testsystem.example.com>" > Password: > Connection closed by UNKNOWN port 65535 > Connection closed. > > On the server it is denying it because it seems to be using sshd like > Ahti Seier mentioned. You'd have to enable debugging in SSSD to see what is happening. I did the same and copied the pam sshd to sftp and it just worked for me, assuming I didn't screw something up. rob > > > > On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Kevin Vasko via FreeIPA-users wrote: > > Try to make this simple. > > > > Have a HBAC, have the "Who" set to a user, have the "Accessing" > set to a > > server. > > > > Have the "Via Service" set to "sshd". The user can ssh into the server > > no issue. > > > > I want to limit this user to only being able to sftp into this server > > (no direct ssh). > > > > If I swap the "Via Service" from the sshd service to sftp that user is > > now denied. They cannot access the server via sftp or ssh. I would > > expect it to deny ssh access but allow sftp. > > > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned > > here > > > https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed > > but that didn't seem to work. > > > > Can you point me to the instructions on how to make the HBAC work > with a > > particular service (e.g. sftp)? > > I just tested this and it works fine for me. I had to create an > allow_sshd HBAC rule which granted sshd access after I disabled the > allow_all rule. > > You can test your rules with: > ipa hbactest --user admin --host replica.example.test --service sshd > > and > > ipa hbactest --user admin --host replica.example.test --service sftp > > And replace user with whatever user can only access via sftp. It should > fail for sshd. > > It would help to see the output of these hbactest runs. > > rob >
freeipa-users@lists.fedorahosted.org