Kevin Vasko wrote:
Rob, do you by chance maybe have sshd and sftp in your "Via
Services"
permissions? If I have the sshd service enabled in my "Via services"
then "sftp" works for me as well, but it's still under the hood
authenticating with sshd even though I am trying to connect with the
"sftp" command. "pam_sss" in the logs show it's using sshd, even
though
I have /etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this
might have something to do with "sftp" is actually using "sshd" to
do
the auth?
May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth):
authentication success; logname= uid=0 euid=0 tty=ssh ruser=
rhost=192.168.0.127 user=exampleserver
May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access
denied for user testuser: 6 (Permission denied)
So yeah, I think I did my testing a bit too quickly.
I looked again and eenabled debug logging in sssd and the pam service
that sftp uses is sshd. I think the suggestion to use groups for access
control looks like your best bet. You might want to suggest to the
openssh folks that a different pam service would be helpful.
rob
On Tue, May 16, 2023 at 4:06 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Kevin Vasko wrote:
> Thanks Rob.
>
> ipa hbactest --user testaccount --host
testsystem.example.com
<
http://testsystem.example.com>
> --service sftp
> --------------------
> Access granted: True
>
> ipa hbactest --user testaccount --host
testsystem.example.com
<
http://testsystem.example.com>
> --service sshd
> --------------------
> Access granted: False
>
> So the HBAC works from FreeIPA...however when I actually put rubber to
> the road
>
> "sftp testaccount(a)testsystem.example.com
<mailto:testaccount@testsystem.example.com>"
> Password:
> Connection closed by UNKNOWN port 65535
> Connection closed.
>
> On the server it is denying it because it seems to be using sshd like
> Ahti Seier mentioned.
You'd have to enable debugging in SSSD to see what is happening. I did
the same and copied the pam sshd to sftp and it just worked for me,
assuming I didn't screw something up.
rob
>
>
>
> On Tue, May 16, 2023 at 12:56 PM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> Kevin Vasko via FreeIPA-users wrote:
> > Try to make this simple.
> >
> > Have a HBAC, have the "Who" set to a user, have the
"Accessing"
> set to a
> > server.
> >
> > Have the "Via Service" set to "sshd". The user can
ssh into
the server
> > no issue.
> >
> > I want to limit this user to only being able to sftp into
this server
> > (no direct ssh).
> >
> > If I swap the "Via Service" from the sshd service to sftp
that user is
> > now denied. They cannot access the server via sftp or ssh. I
would
> > expect it to deny ssh access but allow sftp.
> >
> > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it
mentioned
> > here
> >
>
https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed
> > but that didn't seem to work.
> >
> > Can you point me to the instructions on how to make the HBAC
work
> with a
> > particular service (e.g. sftp)?
>
> I just tested this and it works fine for me. I had to create an
> allow_sshd HBAC rule which granted sshd access after I
disabled the
> allow_all rule.
>
> You can test your rules with:
> ipa hbactest --user admin --host replica.example.test
--service sshd
>
> and
>
> ipa hbactest --user admin --host replica.example.test
--service sftp
>
> And replace user with whatever user can only access via sftp.
It should
> fail for sshd.
>
> It would help to see the output of these hbactest runs.
>
> rob
>