I don't think this can be done easily
The way pam works is the program (sshd in this case) starts the pam
context with a specific name. Looking at sshd source it seems this is
__progname for sshd which should be the basename of the executable. There
does not seem to be a separate authentication stack for sftp part
specifically. So it does not matter if you create a pam.d/sftp
configuration as sshd is not programmed to look for it.
sshd can however be configured to limit ssh access and allow sftp based
on a users group. So this could be achieved by having the sftp only users
in a specific user group.
Kontakt Kevin Vasko via FreeIPA-users (<freeipa-users(a)lists.fedorahosted.org>)
kirjutas kuupäeval T, 16. mai 2023 kell 19:45:
Try to make this simple.
Have a HBAC, have the "Who" set to a user, have the "Accessing" set
to a
server.
Have the "Via Service" set to "sshd". The user can ssh into the
server no
issue.
I want to limit this user to only being able to sftp into this server (no
direct ssh).
If I swap the "Via Service" from the sshd service to sftp that user is now
denied. They cannot access the server via sftp or ssh. I would expect it to
deny ssh access but allow sftp.
I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-de...
but that didn't seem to work.
Can you point me to the instructions on how to make the HBAC work with a
particular service (e.g. sftp)?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue