Kevin Vasko wrote:
Thanks Rob.
ipa hbactest --user testaccount --host
testsystem.example.com
--service sftp
--------------------
Access granted: True
ipa hbactest --user testaccount --host
testsystem.example.com
--service sshd
--------------------
Access granted: False
So the HBAC works from FreeIPA...however when I actually put rubber to
the road
"sftp testaccount(a)testsystem.example.com"
Password:
Connection closed by UNKNOWN port 65535
Connection closed.
On the server it is denying it because it seems to be using sshd like
Ahti Seier mentioned.
You'd have to enable debugging in SSSD to see what is happening. I did
the same and copied the pam sshd to sftp and it just worked for me,
assuming I didn't screw something up.
rob
On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Kevin Vasko via FreeIPA-users wrote:
> Try to make this simple.
>
> Have a HBAC, have the "Who" set to a user, have the
"Accessing"
set to a
> server.
>
> Have the "Via Service" set to "sshd". The user can ssh into
the server
> no issue.
>
> I want to limit this user to only being able to sftp into this server
> (no direct ssh).
>
> If I swap the "Via Service" from the sshd service to sftp that user
is
> now denied. They cannot access the server via sftp or ssh. I would
> expect it to deny ssh access but allow sftp.
>
> I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
> here
>
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-de...
> but that didn't seem to work.
>
> Can you point me to the instructions on how to make the HBAC work
with a
> particular service (e.g. sftp)?
I just tested this and it works fine for me. I had to create an
allow_sshd HBAC rule which granted sshd access after I disabled the
allow_all rule.
You can test your rules with:
ipa hbactest --user admin --host replica.example.test --service sshd
and
ipa hbactest --user admin --host replica.example.test --service sftp
And replace user with whatever user can only access via sftp. It should
fail for sshd.
It would help to see the output of these hbactest runs.
rob