On Tue, Jul 9, 2013 at 5:43 PM, Dmitri Pal <d...@redhat.com> wrote:
> On 07/09/2013 06:01 PM, KodaK wrote: > > > > On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal <d...@redhat.com> wrote: > >> On 07/09/2013 03:57 PM, KodaK wrote: >> >> >> >> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden <rcrit...@redhat.com>wrote: >> >>> >>> HBAC is enforced by sssd, so no sssd, no HBAC. >>> >>> I think you need to use pam_access to limit users in AIX. >>> >>> >> I have some work-arounds now, but I'd like to find a way to automate >> them. What >> I need is a way to ask IPA "who is allowed to access this particular >> server?" >> >> The goal is go just get a list of allowed users, then there are various >> mechanisms >> I can employ to allow access to only the listed users. I plan to do this >> from the >> puppet master so I can push the configs from there. I have >> ipa-admintools and >> openldap-clients installed on the puppet master. >> >> Right now I'm iterating through all the hbacrules and grepping for the >> server in >> question, then getting the details of that rule. This is a lot of >> requests. >> >> >> >> A valid RFE I would say... >> May be it should be an enhancement for the hbac-test tool? >> However getting a list of the users verbatim is probably costly too. >> May be it would make sense for you to create a group of AIX users in IPA >> and then fetch it from the puppet master traverse its memberOf attribute >> for list of members? >> It will not use HBAC but still would provide some access control >> optimization. >> Will that solve the problem for you? >> > > I thought about that, but there are some drawbacks. I don't have "a" > group of AIX users that access all AIX machines. I have a bunch of > different AIX machines with different user sets. I can create a group for > each host called hostname_access -- but then I'm just replicating (quite > inefficently) information that already exists in the HBAC rules. I can > probably create one rule per host in HBAC and query that particular rule > for the allowed users, but this loses the benefit of being able to use host > and user groups. This is probably where we'll end up, though, since it's > the least-effort-to-implement (if worst to maintain) option. > > How does sssd determine if a user is allowed access? Another option may > be to replicate that functionality in a program or script on the puppet > master and have it populate some files once a day or so. Alternately we > could write a PAM module for AIX that replicates that functionality. Right > now, though, I have no idea how it's done in SSSD (a pointer to where it is > in the code would be helpful, even.) > -- > The government is going to read our mail anyway, might as well make it > tough for them. GPG Public key ID: B6A1A7C6 > > > SSSD and IPA share the same library. > I do not remember the name of it but it takes input: user, host, service > and determines whether user is allowed or not. > It is written in C. So it probably can be ported to AIX. > > Here is another option, I do not know if that would work for you. > It really depends on your setup. > You can allow SSH into AIX machines only from a corresponding gateway > machine. > Say you have 5 classes of AIX machines then you will have 5 gateway > machines. > The access to a set of AIX machines will be restricted to SSH from a > gateway system. > Logging to a gateway system would be protected with HBAC. > > Not the best but yet an alternative approach. > > If you go with the "implement yourself approach" on the puppet master you > should taker a look at the code of the library and see how it does things. > It might be a good start. > > Thanks, Dmitri. IRT the gateway machines: I can already block on a per user basis using "AllowUsers" in sshd_config -- that's one of the workarounds I'm using now. This works, but I want to populate that automatically via IPA and puppet. Doing a gateway seems like a step back, plus I'm sure my users would revolt. :)
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
