One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
Charles Hedrick via FreeIPA-users wrote:
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
There is no way currently.
Note that part of the problem is which /etc/shells to use? Remember that IPA is centralized and users may be using a number of different operating systems. This is why the default shell is /bin/sh, because it is nearly universal.
It probably isn't a ton of work to add a new config option to provide a set of valid shells so feel free to file an RFE I just don't know that this sort of thing would be prioritized.
We could probably help if you want to contribute something.
rob
looks like the real solution is valid_shells in sssd.conf. That will prevent people from damaging themselves.
On Jan 25, 2018, at 3:12 PM, Rob Crittenden rcritten@redhat.com wrote:
Charles Hedrick via FreeIPA-users wrote:
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
There is no way currently.
Note that part of the problem is which /etc/shells to use? Remember that IPA is centralized and users may be using a number of different operating systems. This is why the default shell is /bin/sh, because it is nearly universal.
It probably isn't a ton of work to add a new config option to provide a set of valid shells so feel free to file an RFE I just don't know that this sort of thing would be prioritized.
We could probably help if you want to contribute something.
rob
ugh. valid_shells is carefully designed so it can’t be used for this. But doing it in sshd is probably the right answer.
On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
looks like the real solution is valid_shells in sssd.conf. That will prevent people from damaging themselves.
On Jan 25, 2018, at 3:12 PM, Rob Crittenden rcritten@redhat.com wrote:
Charles Hedrick via FreeIPA-users wrote:
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
There is no way currently.
Note that part of the problem is which /etc/shells to use? Remember that IPA is centralized and users may be using a number of different operating systems. This is why the default shell is /bin/sh, because it is nearly universal.
It probably isn't a ton of work to add a new config option to provide a set of valid shells so feel free to file an RFE I just don't know that this sort of thing would be prioritized.
We could probably help if you want to contribute something.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
given the way sssd is designed, if we could restrict in IPA to a list, sssd could map anything that’s not on the local system to a fallback. But sssd isn’t set up so that random typos can get mapped to a fallback.
On Jan 25, 2018, at 3:17 PM, Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
ugh. valid_shells is carefully designed so it can’t be used for this. But doing it in sshd is probably the right answer.
On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
looks like the real solution is valid_shells in sssd.conf. That will prevent people from damaging themselves.
On Jan 25, 2018, at 3:12 PM, Rob Crittenden rcritten@redhat.com wrote:
Charles Hedrick via FreeIPA-users wrote:
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
There is no way currently.
Note that part of the problem is which /etc/shells to use? Remember that IPA is centralized and users may be using a number of different operating systems. This is why the default shell is /bin/sh, because it is nearly universal.
It probably isn't a ton of work to add a new config option to provide a set of valid shells so feel free to file an RFE I just don't know that this sort of thing would be prioritized.
We could probably help if you want to contribute something.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Charles Hedrick via FreeIPA-users wrote:
given the way sssd is designed, if we could restrict in IPA to a list, sssd could map anything that’s not on the local system to a fallback. But sssd isn’t set up so that random typos can get mapped to a fallback.
It is probably best to prevent bad data from getting in the entry in the first place. A fallback would be nice though.
rob
On Jan 25, 2018, at 3:17 PM, Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
ugh. valid_shells is carefully designed so it can’t be used for this. But doing it in sshd is probably the right answer.
On Jan 25, 2018, at 3:15 PM, Charles Hedrick via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
looks like the real solution is valid_shells in sssd.conf. That will prevent people from damaging themselves.
On Jan 25, 2018, at 3:12 PM, Rob Crittenden rcritten@redhat.com wrote:
Charles Hedrick via FreeIPA-users wrote:
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
There is no way currently.
Note that part of the problem is which /etc/shells to use? Remember that IPA is centralized and users may be using a number of different operating systems. This is why the default shell is /bin/sh, because it is nearly universal.
It probably isn't a ton of work to add a new config option to provide a set of valid shells so feel free to file an RFE I just don't know that this sort of thing would be prioritized.
We could probably help if you want to contribute something.
rob
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Charles Hedrick via FreeIPA-users wrote:
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
There is no way currently.
Note that part of the problem is which /etc/shells to use? Remember that IPA is centralized and users may be using a number of different operating systems. This is why the default shell is /bin/sh, because it is nearly universal.
At the very least, it would be good to restrict it to /etc/shells on the current machine. Doesn't cover everything, but it's an improvement.
Thanks, --Robbie
Turns out there is a way. It seems to be a recent addition, as it wasn’t in the documentation I looked at originally.
[nss] allowed_shells = * shell_fallback = /bin/bash
The semantics of allowed_shells is kind of interesting. * any shell in /etc/shells is OK * any shell is allowed_shells but not in /etc/shells get replaced by the fallback * if allowed_shells isn’t set, any shell is used, even if it doesn’t exist
So setting allowed_shells to * does what you’d want: any shell in /etc/shells is OK. Otherwise you getter the fallback.
* as a possible value is relatively new.
This is really what I’d expect default behavior to be if allowed_shells isn’t set.
On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Charles Hedrick via FreeIPA-users wrote:
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
There is no way currently.
Note that part of the problem is which /etc/shells to use? Remember that IPA is centralized and users may be using a number of different operating systems. This is why the default shell is /bin/sh, because it is nearly universal.
At the very least, it would be good to restrict it to /etc/shells on the current machine. Doesn't cover everything, but it's an improvement.
Thanks, --Robbie _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hrm, is there any provision for different paths for the same shell on different platforms? (E.g. bash on Linux vs FreeBSD)
On Fri, Jan 26, 2018, 1:04 PM Charles Hedrick via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Turns out there is a way. It seems to be a recent addition, as it wasn’t in the documentation I looked at originally.
[nss] allowed_shells = * shell_fallback = /bin/bash
The semantics of allowed_shells is kind of interesting.
- any shell in /etc/shells is OK
- any shell is allowed_shells but not in /etc/shells get replaced by the
fallback
- if allowed_shells isn’t set, any shell is used, even if it doesn’t exist
So setting allowed_shells to * does what you’d want: any shell in /etc/shells is OK. Otherwise you getter the fallback.
- as a possible value is relatively new.
This is really what I’d expect default behavior to be if allowed_shells isn’t set.
On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Charles Hedrick via FreeIPA-users wrote:
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
There is no way currently.
Note that part of the problem is which /etc/shells to use? Remember that IPA is centralized and users may be using a number of different operating systems. This is why the default shell is /bin/sh, because it is nearly universal.
At the very least, it would be good to restrict it to /etc/shells on the current machine. Doesn't cover everything, but it's an improvement.
Thanks, --Robbie _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
to do that you’d need some kind of mapping facility. Without modifying sssd I’d suggest symbolic links.
I thought /bin/shell worked everywhere. It’s /usr/bin that may or may not.
On Jan 26, 2018, at 1:16 PM, Mike Kelly via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote:
Hrm, is there any provision for different paths for the same shell on different platforms? (E.g. bash on Linux vs FreeBSD)
On Fri, Jan 26, 2018, 1:04 PM Charles Hedrick via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote: Turns out there is a way. It seems to be a recent addition, as it wasn’t in the documentation I looked at originally.
[nss] allowed_shells = * shell_fallback = /bin/bash
The semantics of allowed_shells is kind of interesting. * any shell in /etc/shells is OK * any shell is allowed_shells but not in /etc/shells get replaced by the fallback * if allowed_shells isn’t set, any shell is used, even if it doesn’t exist
So setting allowed_shells to * does what you’d want: any shell in /etc/shells is OK. Otherwise you getter the fallback.
* as a possible value is relatively new.
This is really what I’d expect default behavior to be if allowed_shells isn’t set.
On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> wrote:
Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org> writes:
Charles Hedrick via FreeIPA-users wrote:
One of my staff made a typo in his shell in “ipa user-mod —shell” It can be hard to recover from, since you can’t login.
Is there a way to restrict what they can use? Traditionally only shells in /etc/shells were valid.
There is no way currently.
Note that part of the problem is which /etc/shells to use? Remember that IPA is centralized and users may be using a number of different operating systems. This is why the default shell is /bin/sh, because it is nearly universal.
At the very least, it would be good to restrict it to /etc/shells on the current machine. Doesn't cover everything, but it's an improvement.
Thanks, --Robbie _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org
--
Mike Kelly
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.orgmailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.orgmailto:freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org