On Sat, 2012-06-02 at 06:52 -0700, Joe Linoff wrote: > Hi: > > > > I am a newbie that is trying out FreeIPA for the first time. So far I > am extremely impressed with this system but I ran into a problem that > I need some help with. I am trying to figure out how to HBAC to > restrict a set of users to a specific set of hosts but I am not having > any success. > > > > Here is the problem statement: > > > > I have 2 users: “user1” and “user2” that should only be able to access > the host “foobar” on my network. There are many other possible hosts > (like “wombat”) that they cannot access. They can login from anywhere > using “ssh”. > > > > The goal is to restrict students to a specific set of machines. > > > > What I tried to do was this: > > > > 1. Create a user group called “restricted-users” which I could > add users to. > > 2. Create a HBAC rule named “restricted-users” that > > a. Defines the host I want to allow them access to > (“restricted-host”). > > b. Defines the user group that is affected by this rule > (“restricted-users”). > > c. Defines the services they are allowed to use on that host > (including login). > > 3. Create a user named “user1” that is enrolled in the > “restricted-users” group. > > > > I then tried this experiment: > > > > 1. ssh –Y user1@foobar > > a. It worked like a charm. The login worked correctly. > > 2. ssh –Y user1@wombad > > a. It also worked like a charm but in this case it was undesired > behavior. > > > > I am sure that I am missing something really obvious. Any help would > be greatly appreciated. > > > > Errata: > > 1. OS: CentOS 6.2 > > 2. FreeIPA: v2.1.3 (9el6) > > > > Thank you, > > > > Joe >
Hello Joe, did you disable default allow_all HBAC rule? # ipa hbacrule-show allow_all Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE With this rule disabled, the policy you described should be properly enforced. When testing HBAC rules you may want to try CLI and Web UI interface to hbactest command, which can help you to test who can use what service on which machine and also which rules did match when the access was allowed. HTH, Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users