Thanks Rob.

ipa hbactest --user testaccount --host testsystem.example.com --service sftp
--------------------
Access granted: True

ipa hbactest --user testaccount --host testsystem.example.com --service sshd
--------------------
Access granted: False

So the HBAC works from FreeIPA...however when I actually put rubber to the road

"sftp testaccount@testsystem.example.com"

Password:
Connection closed by UNKNOWN port 65535
Connection closed.

On the server it is denying it because it seems to be using sshd like Ahti Seier mentioned.

On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcritten@redhat.com> wrote:

Kevin Vasko via FreeIPA-users wrote:
> Try to make this simple.
>
> Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> server.
>
> Have the "Via Service" set to "sshd". The user can ssh into the server
> no issue.
>
> I want to limit this user to only being able to sftp into this server
> (no direct ssh).
>
> If I swap the "Via Service" from the sshd service to sftp that user is
> now denied. They cannot access the server via sftp or ssh. I would
> expect it to deny ssh access but allow sftp.
>
> I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
> here
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> but that didn't seem to work.
>
> Can you point me to the instructions on how to make the HBAC work with a
> particular service (e.g. sftp)?

I just tested this and it works fine for me. I had to create an
allow_sshd HBAC rule which granted sshd access after I disabled the
allow_all rule.

You can test your rules with:
ipa hbactest --user admin --host replica.example.test --service sshd

and

ipa hbactest --user admin --host replica.example.test --service sftp

And replace user with whatever user can only access via sftp. It should
fail for sshd.

It would help to see the output of these hbactest runs.

rob