Kevin Vasko via FreeIPA-users wrote:
> Try to make this simple.
>
> Have a HBAC, have the "Who" set to a user, have the "Accessing" set to a
> server.
>
> Have the "Via Service" set to "sshd". The user can ssh into the server
> no issue.
>
> I want to limit this user to only being able to sftp into this server
> (no direct ssh).
>
> If I swap the "Via Service" from the sshd service to sftp that user is
> now denied. They cannot access the server via sftp or ssh. I would
> expect it to deny ssh access but allow sftp.
>
> I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
> here
> https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> but that didn't seem to work.
>
> Can you point me to the instructions on how to make the HBAC work with a
> particular service (e.g. sftp)?
I just tested this and it works fine for me. I had to create an
allow_sshd HBAC rule which granted sshd access after I disabled the
allow_all rule.
You can test your rules with:
ipa hbactest --user admin --host replica.example.test --service sshd
and
ipa hbactest --user admin --host replica.example.test --service sftp
And replace user with whatever user can only access via sftp. It should
fail for sshd.
It would help to see the output of these hbactest runs.
rob