On 24/05/2024 15:52, Alexander Bokovoy via FreeIPA-users wrote:
On Fri, 24 May 2024, Sam Morris via FreeIPA-users wrote:
On 24/05/2024 13:07, Sam Morris via FreeIPA-users wrote:
On non-IPA clients I'm using AllowUsers/AllowGroups to restrict which
local users are able to SSH into a system.
On IPA clients I am using HBAC to control the same for IPA users. But
what's the best way to control which local users can SSH in to an IPA
client?
Sorry, I forgot to add "... without disrupting access to the IPA
client for IPA users".
>
[...]
>
I don't understand why you cannot handle the access control through HBAC
rules. These days glibc supports group merging feature (since glibc
2.24, around 2016), so you can have a group in IPA and a group in
/etc/group, then include local user into that local group. With
appropriate configuration, SSSD will add local user into that IPA group
membership locally and thus you can use that IPA group in HBAC rules.
See https://sourceware.org/glibc/wiki/Proposals/GroupMerging and man
page for nsswitch.conf(5), 'merge' ACTION for 'group' database.>
Thanks for that, I haven't used group merging yet. But, hmm, I'm not
sure it will help here...
My goals are:
* Local user access to be controlled by group membership
* IPA user access to be controlled via IPA HBAC
* IPA user access to not be controlled by group membership
If I create a local group 'allow-ssh' and configure sshd with
'AllowGroups allow-ssh' then my IPA users can't SSH in any more, because
they aren't a member of the local group.
So I was thinking that the local group combined with "AllowGroups
ipausers allow-ssh" would work, but then we have the undesirably large
POSIX group that will cause performance in large domains.
If I understand group merging correctly, it lets me create a local
allow-ssh group with the same GID as an IPA POSIX allow-ssh group, and
then looking up the group's membership will return both local and IPA
users. But doesn't that mean all my users need to be in the IPA
allow-ssh POSIX group, which is no different to making ipausers into a
POSIX group?
I had another idea: perhaps pam_group can be combined with pam_localuser
to add all IPA users to the allow-ssh group. But I don't know if this
happens before or after the user's groups are checked against the
AllowGroups list; and pam_groups is an 'auth' module, which I believe
means it won't be activated when GSSAPIAuthentication is used.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
