11:44 a.m.
Try to make this simple.
Have a HBAC, have the "Who" set to a user, have the "Accessing" set to
a
server.
Have the "Via Service" set to "sshd". The user can ssh into the server
no
issue.
I want to limit this user to only being able to sftp into this server (no
direct ssh).
If I swap the "Via Service" from the sshd service to sftp that user is now
denied. They cannot access the server via sftp or ssh. I would expect it to
deny ssh access but allow sftp.
I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-de...
but that didn't seem to work.
Can you point me to the instructions on how to make the HBAC work with a
particular service (e.g. sftp)?
12:05 p.m.
I don't think this can be done easily
The way pam works is the program (sshd in this case) starts the pam
context with a specific name. Looking at sshd source it seems this is
__progname for sshd which should be the basename of the executable. There
does not seem to be a separate authentication stack for sftp part
specifically. So it does not matter if you create a pam.d/sftp
configuration as sshd is not programmed to look for it.
sshd can however be configured to limit ssh access and allow sftp based
on a users group. So this could be achieved by having the sftp only users
in a specific user group.
Kontakt Kevin Vasko via FreeIPA-users (<freeipa-users(a)lists.fedorahosted.org>)
kirjutas kuupäeval T, 16. mai 2023 kell 19:45:
Try to make this simple.
Have a HBAC, have the "Who" set to a user, have the "Accessing" set
to a
server.
Have the "Via Service" set to "sshd". The user can ssh into the
server no
issue.
I want to limit this user to only being able to sftp into this server (no
direct ssh).
If I swap the "Via Service" from the sshd service to sftp that user is now
denied. They cannot access the server via sftp or ssh. I would expect it to
deny ssh access but allow sftp.
I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned here
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-de...
but that didn't seem to work.
Can you point me to the instructions on how to make the HBAC work with a
particular service (e.g. sftp)?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
12:56 p.m.
Kevin Vasko via FreeIPA-users wrote:
Try to make this simple.
Have a HBAC, have the "Who" set to a user, have the "Accessing" set
to a
server.
Have the "Via Service" set to "sshd". The user can ssh into the
server
no issue.
I want to limit this user to only being able to sftp into this server
(no direct ssh).
If I swap the "Via Service" from the sshd service to sftp that user is
now denied. They cannot access the server via sftp or ssh. I would
expect it to deny ssh access but allow sftp.
I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
here
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-de...
but that didn't seem to work.
Can you point me to the instructions on how to make the HBAC work with a
particular service (e.g. sftp)?
I just tested this and it works fine for me. I had to create an
allow_sshd HBAC rule which granted sshd access after I disabled the
allow_all rule.
You can test your rules with:
ipa hbactest --user admin --host replica.example.test --service sshd
and
ipa hbactest --user admin --host replica.example.test --service sftp
And replace user with whatever user can only access via sftp. It should
fail for sshd.
It would help to see the output of these hbactest runs.
rob
3:56 p.m.
Thanks Rob.
ipa hbactest --user testaccount --host testsystem.example.com --service sftp
--------------------
Access granted: True
ipa hbactest --user testaccount --host testsystem.example.com --service sshd
--------------------
Access granted: False
So the HBAC works from FreeIPA...however when I actually put rubber to the
road
"sftp testaccount(a)testsystem.example.com"
Password:
Connection closed by UNKNOWN port 65535
Connection closed.
On the server it is denying it because it seems to be using sshd like Ahti
Seier mentioned.
On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Kevin Vasko via FreeIPA-users wrote:
> Try to make this simple.
>
> Have a HBAC, have the "Who" set to a user, have the "Accessing"
set to a
> server.
>
> Have the "Via Service" set to "sshd". The user can ssh into the
server
> no issue.
>
> I want to limit this user to only being able to sftp into this server
> (no direct ssh).
>
> If I swap the "Via Service" from the sshd service to sftp that user is
> now denied. They cannot access the server via sftp or ssh. I would
> expect it to deny ssh access but allow sftp.
>
> I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
> here
>
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-de...
> but that didn't seem to work.
>
> Can you point me to the instructions on how to make the HBAC work with a
> particular service (e.g. sftp)?
I just tested this and it works fine for me. I had to create an
allow_sshd HBAC rule which granted sshd access after I disabled the
allow_all rule.
You can test your rules with:
ipa hbactest --user admin --host replica.example.test --service sshd
and
ipa hbactest --user admin --host replica.example.test --service sftp
And replace user with whatever user can only access via sftp. It should
fail for sshd.
It would help to see the output of these hbactest runs.
rob
4:06 p.m.
Kevin Vasko wrote:
Thanks Rob.
ipa hbactest --user testaccount --host testsystem.example.com
--service sftp
--------------------
Access granted: True
ipa hbactest --user testaccount --host testsystem.example.com
--service sshd
--------------------
Access granted: False
So the HBAC works from FreeIPA...however when I actually put rubber to
the road
"sftp testaccount(a)testsystem.example.com"
Password:
Connection closed by UNKNOWN port 65535
Connection closed.
On the server it is denying it because it seems to be using sshd like
Ahti Seier mentioned.
You'd have to enable debugging in SSSD to see what is happening. I did
the same and copied the pam sshd to sftp and it just worked for me,
assuming I didn't screw something up.
rob
On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Kevin Vasko via FreeIPA-users wrote:
> Try to make this simple.
>
> Have a HBAC, have the "Who" set to a user, have the
"Accessing"
set to a
> server.
>
> Have the "Via Service" set to "sshd". The user can ssh into
the server
> no issue.
>
> I want to limit this user to only being able to sftp into this server
> (no direct ssh).
>
> If I swap the "Via Service" from the sshd service to sftp that user
is
> now denied. They cannot access the server via sftp or ssh. I would
> expect it to deny ssh access but allow sftp.
>
> I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned
> here
>
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-de...
> but that didn't seem to work.
>
> Can you point me to the instructions on how to make the HBAC work
with a
> particular service (e.g. sftp)?
I just tested this and it works fine for me. I had to create an
allow_sshd HBAC rule which granted sshd access after I disabled the
allow_all rule.
You can test your rules with:
ipa hbactest --user admin --host replica.example.test --service sshd
and
ipa hbactest --user admin --host replica.example.test --service sftp
And replace user with whatever user can only access via sftp. It should
fail for sshd.
It would help to see the output of these hbactest runs.
rob
5:07 p.m.
Rob, do you by chance maybe have sshd and sftp in your "Via Services"
permissions? If I have the sshd service enabled in my "Via services" then
"sftp" works for me as well, but it's still under the hood authenticating
with sshd even though I am trying to connect with the "sftp" command.
"pam_sss" in the logs show it's using sshd, even though I have
/etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this might have
something to do with "sftp" is actually using "sshd" to do the auth?
May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.127 user=exampleserver
May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access
denied for user testuser: 6 (Permission denied)
On Tue, May 16, 2023 at 4:06 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
Kevin Vasko wrote:
> Thanks Rob.
>
> ipa hbactest --user testaccount --host testsystem.example.com
> --service sftp
> --------------------
> Access granted: True
>
> ipa hbactest --user testaccount --host testsystem.example.com
> --service sshd
> --------------------
> Access granted: False
>
> So the HBAC works from FreeIPA...however when I actually put rubber to
> the road
>
> "sftp testaccount(a)testsystem.example.com"
> Password:
> Connection closed by UNKNOWN port 65535
> Connection closed.
>
> On the server it is denying it because it seems to be using sshd like
> Ahti Seier mentioned.
You'd have to enable debugging in SSSD to see what is happening. I did
the same and copied the pam sshd to sftp and it just worked for me,
assuming I didn't screw something up.
rob
>
>
>
> On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Kevin Vasko via FreeIPA-users wrote:
> > Try to make this simple.
> >
> > Have a HBAC, have the "Who" set to a user, have the
"Accessing"
> set to a
> > server.
> >
> > Have the "Via Service" set to "sshd". The user can ssh
into the
server
> > no issue.
> >
> > I want to limit this user to only being able to sftp into this
server
> > (no direct ssh).
> >
> > If I swap the "Via Service" from the sshd service to sftp that
user is
> > now denied. They cannot access the server via sftp or ssh. I would
> > expect it to deny ssh access but allow sftp.
> >
> > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it
mentioned
> > here
> >
>
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-de...
> > but that didn't seem to work.
> >
> > Can you point me to the instructions on how to make the HBAC work
> with a
> > particular service (e.g. sftp)?
>
> I just tested this and it works fine for me. I had to create an
> allow_sshd HBAC rule which granted sshd access after I disabled the
> allow_all rule.
>
> You can test your rules with:
> ipa hbactest --user admin --host replica.example.test --service sshd
>
> and
>
> ipa hbactest --user admin --host replica.example.test --service sftp
>
> And replace user with whatever user can only access via sftp. It
should
> fail for sshd.
>
> It would help to see the output of these hbactest runs.
>
> rob
>
9:43 a.m.
Kevin Vasko wrote:
Rob, do you by chance maybe have sshd and sftp in your "Via
Services"
permissions? If I have the sshd service enabled in my "Via services"
then "sftp" works for me as well, but it's still under the hood
authenticating with sshd even though I am trying to connect with the
"sftp" command. "pam_sss" in the logs show it's using sshd, even
though
I have /etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this
might have something to do with "sftp" is actually using "sshd" to
do
the auth?
May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.127 user=exampleserver
May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access
denied for user testuser: 6 (Permission denied)
So yeah, I think I did my testing a bit too quickly.
I looked again and eenabled debug logging in sssd and the pam service
that sftp uses is sshd. I think the suggestion to use groups for access
control looks like your best bet. You might want to suggest to the
openssh folks that a different pam service would be helpful.
rob
On Tue, May 16, 2023 at 4:06 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Kevin Vasko wrote:
> Thanks Rob.
>
> ipa hbactest --user testaccount --host testsystem.example.com
<http://testsystem.example.com>
> --service sftp
> --------------------
> Access granted: True
>
> ipa hbactest --user testaccount --host testsystem.example.com
<http://testsystem.example.com>
> --service sshd
> --------------------
> Access granted: False
>
> So the HBAC works from FreeIPA...however when I actually put rubber to
> the road
>
> "sftp testaccount(a)testsystem.example.com
<mailto:testaccount@testsystem.example.com>"
> Password:
> Connection closed by UNKNOWN port 65535
> Connection closed.
>
> On the server it is denying it because it seems to be using sshd like
> Ahti Seier mentioned.
You'd have to enable debugging in SSSD to see what is happening. I did
the same and copied the pam sshd to sftp and it just worked for me,
assuming I didn't screw something up.
rob
>
>
>
> On Tue, May 16, 2023 at 12:56 PM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> Kevin Vasko via FreeIPA-users wrote:
> > Try to make this simple.
> >
> > Have a HBAC, have the "Who" set to a user, have the
"Accessing"
> set to a
> > server.
> >
> > Have the "Via Service" set to "sshd". The user can
ssh into
the server
> > no issue.
> >
> > I want to limit this user to only being able to sftp into
this server
> > (no direct ssh).
> >
> > If I swap the "Via Service" from the sshd service to sftp
that user is
> > now denied. They cannot access the server via sftp or ssh. I
would
> > expect it to deny ssh access but allow sftp.
> >
> > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it
mentioned
> > here
> >
>
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> > but that didn't seem to work.
> >
> > Can you point me to the instructions on how to make the HBAC
work
> with a
> > particular service (e.g. sftp)?
>
> I just tested this and it works fine for me. I had to create an
> allow_sshd HBAC rule which granted sshd access after I
disabled the
> allow_all rule.
>
> You can test your rules with:
> ipa hbactest --user admin --host replica.example.test
--service sshd
>
> and
>
> ipa hbactest --user admin --host replica.example.test
--service sftp
>
> And replace user with whatever user can only access via sftp.
It should
> fail for sshd.
>
> It would help to see the output of these hbactest runs.
>
> rob
>
396
days inactive
397
days old
freeipa-users@lists.fedorahosted.org
6 comments
3 participants
participants (3)
-
Ahti Seier -
Kevin Vasko -
Rob Crittenden