subject:"\[Freeipa\-users\] Glaring hole in AIX telnet regarding HBAC rules"

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-12 Thread KodaK

On Thu, Jul 11, 2013 at 5:19 PM, Dmitri Pal  wrote:

>
> I am not good with ldap syntax but SQL natural for me so conceptually the
> search would look like this:
>
>
I don't think it's humanly possible to be good at ldap syntax.


> I hope it conveys what I have in mind. The result of such search would be
> a list of group members that have access to the host.
> This is pretty close to what you have done except it covers nested groups
> too and uses HBAC rules.
>
>
I haven't had any luck with nested groups at all anyway, so I avoid using
them.  I may give this idea some more thought.  Thanks.


> Private. I made a typo. It should have been V :-)
>
>
Ah, ok. :)
-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-12 Thread KodaK

On Fri, Jul 12, 2013 at 7:31 AM, natxo asenjo wrote:

>
>>
> tcp wrappers support netgroups (iirc), you could use that too (you
> cannot mix hosts and users though, so you should create netgroups of
> users.
>
>
I haven't used tcp wrappers in years, and I never knew it supported
netgroups.  That's great to know, thanks!

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-12 Thread natxo asenjo


On 07/11/2013 11:39 PM, KodaK wrote:


This only works for sshd, obviously.  We do currently have ftp and
telnet open (yeah, I know) but I'm trying
to get those turned off.  In the meantime I can use tcp-wrappers to only
allow those machines that need
to connect.  This is sub-optimal, since unauthorized users may be able
to telnet in from those machines.


tcp wrappers support netgroups (iirc), you could use that too (you
cannot mix hosts and users though, so you should create netgroups of
users.

--
groet,
natxo


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-11 Thread Dmitri Pal

On 07/11/2013 05:54 PM, KodaK wrote:
>
>
> On Thu, Jul 11, 2013 at 4:42 PM, Dmitri Pal  > wrote:
>
> Well it is something like this that I had in mind. But you have
> beaten me...
> Great to see you found an acceptable solution.
>
>
> Acceptable is a strong word.  Maybe "passable" or Microsoft-style "it
> works, ship it."  :)
>
> Out of curiosity, what were your thoughts on a solution for us?  Did
> it differ significantly
> from what I'm doing?  (I'm always on the lookout for a better way.)

What you need is who can access a specific AIX machine, right?
You have several sets of AIX machines, say 5, each of which has an HBAC
rule that relates a group of users X to a group of AIX machine with the
same set of users.
If you have non overlapping host groups you can fetch users with one
LDAP search from the puppet master.

I am not good with ldap syntax but SQL natural for me so conceptually
the search would look like this:

SELECT group.member FROM group JOIN hbac on group-DN JOIN host group on
hostgroup-DN WHERE hostgroup.member contains host X.

I hope it conveys what I have in mind. The result of such search would
be a list of group members that have access to the host.
This is pretty close to what you have done except it covers nested
groups too and uses HBAC rules.

>
> Also, what's PWT mail? 

Private. I made a typo. It should have been V :-)

> I assume some sort of encrypted or private mail, but I'm not
> familiar with the acronym.
>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6 

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-11 Thread KodaK

On Thu, Jul 11, 2013 at 4:42 PM, Dmitri Pal  wrote:

> Well it is something like this that I had in mind. But you have beaten
> me...
> Great to see you found an acceptable solution.
>

Acceptable is a strong word.  Maybe "passable" or Microsoft-style "it
works, ship it."  :)

Out of curiosity, what were your thoughts on a solution for us?  Did it
differ significantly
from what I'm doing?  (I'm always on the lookout for a better way.)

Also, what's PWT mail?  I assume some sort of encrypted or private mail,
but I'm not
familiar with the acronym.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-11 Thread Dmitri Pal

On 07/11/2013 05:39 PM, KodaK wrote:
> Just thought I'd pass along my work-around.
>
> I create a group for each host called hostname-access and populate
> each group with the users allowed to connect.
>
> Then, using puppet, I push out an sshd_config that has "AllowGroups:
> admins unixadmins hostname-access".
>
> The erb is:  "AllowGroups: admins unixadmins <%= host %>-access"
>
> Then restart sshd.
>
> This is a lot of up-front work, but seems to be the easiest to
> maintain in the long run (at least until we can get
> AIX to honor HBAC rules.)  Unfortunately, I can't have groups of
> groups -- that would make initial setup even
> easier -- but I'm used to not having everything, as you can see. :)
>
> This only works for sshd, obviously.  We do currently have ftp and
> telnet open (yeah, I know) but I'm trying
> to get those turned off.  In the meantime I can use tcp-wrappers to
> only allow those machines that need
> to connect.  This is sub-optimal, since unauthorized users may be able
> to telnet in from those machines.

Well it is something like this that I had in mind. But you have beaten me...
Great to see you found an acceptable solution.

>
> --Jason
>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-11 Thread Dmitri Pal

On 07/10/2013 08:34 PM, KodaK wrote:
>
>
> On Wed, Jul 10, 2013 at 5:00 PM, natxo asenjo  > wrote:
>
> On 07/08/2013 07:44 PM, KodaK wrote:
>
> We've just discovered that AIX does not honor HBAC rules with
> telnet.
>   ssh is fine.
>
>
> no AIX expericence, but I once overheard someone that did
> something like
> this using pam and apparently you could use the pam_permission module:
>
> 
> http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm
>
> so you could add this to /etc/pam.conf
>
> telnet auth requisite /usr/lib/security/pam_permission
> file=/etc/pam.groups.telnet found=allow
>
> and create the file /etc/pam.groups.telnet with info like this:
>
> +@mygroup1
> +@mygroup2
> -@mygroup3
>
> in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
> denied access.
>
> You could even harden it even more with good old tcp_wrappers
> (hosts.allow, hosts.deny).
>
> If you have a config tool (cfengine, puppet, whatever), this could be
> quite easy to distribute once properly tested.
>
> Totally untested :-) but maybe worth a shot.
>
>
> Thanks.  I'm stuck though.
>
> IBMs insistence on doing everything Not Unix in AIX is frustrating my
> efforts.
>
> 1) they don't use straight up PAM.  They have some older version they
> include with the OS.
> 2) their version has very few modules that come with it.  It does,
> however, have pam_permissions,
> but does not include pam_krb5.
>
> Here's the list:
>
> pam_aix  pam_allowrootpam_mkuserhome   pam_prohibit
> pam_allowpam_ckfile   pam_permission   pam_rhosts_auth
>
> That's a far cry from the 69 or so pam modules I see on Linux boxes.
>
> Before I can move on I have to get pam_krb5 to build for AIX and
> that's proving to be very difficult.
>
> I'm hoping the pam_hbac thing will pan out.
>
> I'm about ready to just yank Kerberos from the AIX machines and fall
> back to local authentication.
> The actual AIX admins seem to have no interest in helping me, so they
> can reap what they
> sow with their inaction and have to manage individual users on
> individual boxes.

How complex are your HBAC rules? Are they very dynamic or pretty static?
We might be able to tackle it from that side and come with something
custom that would work for your case but not in general.
I think PWT mail for the real data would be appropriate.

>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-11 Thread KodaK

Just thought I'd pass along my work-around.

I create a group for each host called hostname-access and populate each
group with the users allowed to connect.

Then, using puppet, I push out an sshd_config that has "AllowGroups: admins
unixadmins hostname-access".

The erb is:  "AllowGroups: admins unixadmins <%= host %>-access"

Then restart sshd.

This is a lot of up-front work, but seems to be the easiest to maintain in
the long run (at least until we can get
AIX to honor HBAC rules.)  Unfortunately, I can't have groups of groups --
that would make initial setup even
easier -- but I'm used to not having everything, as you can see. :)

This only works for sshd, obviously.  We do currently have ftp and telnet
open (yeah, I know) but I'm trying
to get those turned off.  In the meantime I can use tcp-wrappers to only
allow those machines that need
to connect.  This is sub-optimal, since unauthorized users may be able to
telnet in from those machines.

--Jason

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-10 Thread KodaK

On Wed, Jul 10, 2013 at 5:00 PM, natxo asenjo wrote:

> On 07/08/2013 07:44 PM, KodaK wrote:
>
>> We've just discovered that AIX does not honor HBAC rules with telnet.
>>   ssh is fine.
>>
>
> no AIX expericence, but I once overheard someone that did something like
> this using pam and apparently you could use the pam_permission module:
>
> http://pic.dhe.ibm.com/**infocenter/aix/v6r1/index.jsp?**
> topic=%2Fcom.ibm.aix.files%**2Fdoc%2Faixfiles%2Fpam_**permission.htm
>
> so you could add this to /etc/pam.conf
>
> telnet auth requisite /usr/lib/security/pam_**permission
> file=/etc/pam.groups.telnet found=allow
>
> and create the file /etc/pam.groups.telnet with info like this:
>
> +@mygroup1
> +@mygroup2
> -@mygroup3
>
> in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
> denied access.
>
> You could even harden it even more with good old tcp_wrappers
> (hosts.allow, hosts.deny).
>
> If you have a config tool (cfengine, puppet, whatever), this could be
> quite easy to distribute once properly tested.
>
> Totally untested :-) but maybe worth a shot.
>

Thanks.  I'm stuck though.

IBMs insistence on doing everything Not Unix in AIX is frustrating my
efforts.

1) they don't use straight up PAM.  They have some older version they
include with the OS.
2) their version has very few modules that come with it.  It does, however,
have pam_permissions,
but does not include pam_krb5.

Here's the list:

pam_aix  pam_allowrootpam_mkuserhome   pam_prohibit
pam_allowpam_ckfile   pam_permission   pam_rhosts_auth

That's a far cry from the 69 or so pam modules I see on Linux boxes.

Before I can move on I have to get pam_krb5 to build for AIX and that's
proving to be very difficult.

I'm hoping the pam_hbac thing will pan out.

I'm about ready to just yank Kerberos from the AIX machines and fall back
to local authentication.
The actual AIX admins seem to have no interest in helping me, so they can
reap what they
sow with their inaction and have to manage individual users on individual
boxes.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-10 Thread natxo asenjo


On 07/08/2013 07:44 PM, KodaK wrote:

We've just discovered that AIX does not honor HBAC rules with telnet.
  ssh is fine.


no AIX expericence, but I once overheard someone that did something like
this using pam and apparently you could use the pam_permission module:

http://pic.dhe.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpam_permission.htm

so you could add this to /etc/pam.conf

telnet auth requisite /usr/lib/security/pam_permission 
file=/etc/pam.groups.telnet found=allow


and create the file /etc/pam.groups.telnet with info like this:

+@mygroup1
+@mygroup2
-@mygroup3

in this case mygroup1 and mygroup2 may telnet, whereas mygroup3 is
denied access.

You could even harden it even more with good old tcp_wrappers
(hosts.allow, hosts.deny).

If you have a config tool (cfengine, puppet, whatever), this could be
quite easy to distribute once properly tested.

Totally untested :-) but maybe worth a shot.

--
groet,
natxo

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-10 Thread KodaK

On Tue, Jul 9, 2013 at 5:43 PM, Dmitri Pal  wrote:

>  On 07/09/2013 06:01 PM, KodaK wrote:
>
>
>
> On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal  wrote:
>
>>  On 07/09/2013 03:57 PM, KodaK wrote:
>>
>>
>>
>> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden wrote:
>>
>>>
>>> HBAC is enforced by sssd, so no sssd, no HBAC.
>>>
>>> I think you need to use pam_access to limit users in AIX.
>>>
>>>
>>  I have some work-arounds now, but I'd like to find a way to automate
>> them.  What
>> I need is a way to ask IPA "who is allowed to access this particular
>> server?"
>>
>>  The goal is go just get a list of allowed users, then there are various
>> mechanisms
>> I can employ to allow access to only the listed users.  I plan to do this
>> from the
>> puppet master so I can push the configs from there.  I have
>> ipa-admintools and
>> openldap-clients installed on the puppet master.
>>
>>  Right now I'm iterating through all the hbacrules and grepping for the
>> server in
>> question, then getting the details of that rule.  This is a lot of
>> requests.
>>
>>
>>
>>  A valid RFE I would say...
>> May be it should be an enhancement for the hbac-test tool?
>> However getting a list of the users verbatim is probably costly too.
>> May be it would make sense for you to create a group of AIX users in IPA
>> and then fetch it from the puppet master traverse its memberOf attribute
>> for list of members?
>> It will not use HBAC but still would provide some access control
>> optimization.
>> Will that solve the problem for you?
>>
>
>  I thought about that, but there are some drawbacks.  I don't have "a"
> group of AIX users that access all AIX machines.  I have a bunch of
> different AIX machines with different user sets.  I can create a group for
> each host called hostname_access -- but then I'm just replicating (quite
> inefficently) information that already exists in the HBAC rules.  I can
> probably create one rule per host in HBAC and query that particular rule
> for the allowed users, but this loses the benefit of being able to use host
> and user groups.  This is probably where we'll end up, though, since it's
> the least-effort-to-implement (if worst to maintain) option.
>
>  How does sssd determine if a user is allowed access?  Another option may
> be to replicate that functionality in a program or script on the puppet
> master and have it populate some files once a day or so.  Alternately we
> could write a PAM module for AIX that replicates that functionality.  Right
> now, though, I have no idea how it's done in SSSD (a pointer to where it is
> in the code would be helpful, even.)
>  --
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> SSSD and IPA share the same library.
> I do not remember the name of it but it takes input: user, host, service
> and determines whether user is allowed or not.
> It is written in C. So it probably can be ported to AIX.
>
> Here is another option, I do not know if that would work for you.
> It really depends on your setup.
> You can allow SSH into AIX machines only from a corresponding gateway
> machine.
> Say you have 5 classes of AIX machines then you will have 5 gateway
> machines.
> The access to a set of AIX machines will be restricted to SSH from a
> gateway system.
> Logging to a gateway system would be protected with HBAC.
>
> Not the best but yet an alternative approach.
>
> If you go with the "implement yourself approach" on the puppet master you
> should taker a look at the code of the library and see how it does things.
> It might be a good start.
>
>
Thanks, Dmitri.  IRT the gateway machines:  I can already block on a per
user basis using "AllowUsers" in sshd_config -- that's one of the
workarounds I'm using now.  This works, but I want to populate that
automatically via IPA and puppet.  Doing a gateway seems like a step back,
plus I'm sure my users would revolt. :)
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-10 Thread KodaK

On Wed, Jul 10, 2013 at 2:07 AM, Jakub Hrozek  wrote:

> On Tue, Jul 09, 2013 at 06:43:55PM -0400, Dmitri Pal wrote:
> > On 07/09/2013 06:01 PM, KodaK wrote:
> > >
> > >
> > > On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal  > > > wrote:
> > >
> > > On 07/09/2013 03:57 PM, KodaK wrote:
> > >>
> > >>
> > >> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden
> > >> mailto:rcrit...@redhat.com>> wrote:
> > >>
> > >>
> > >> HBAC is enforced by sssd, so no sssd, no HBAC.
> > >>
> > >> I think you need to use pam_access to limit users in AIX.
> > >>
> > >>
> > >> I have some work-arounds now, but I'd like to find a way to
> > >> automate them.  What
> > >> I need is a way to ask IPA "who is allowed to access this
> > >> particular server?"
> > >>
> > >> The goal is go just get a list of allowed users, then there are
> > >> various mechanisms
> > >> I can employ to allow access to only the listed users.  I plan to
> > >> do this from the
> > >> puppet master so I can push the configs from there.  I have
> > >> ipa-admintools and
> > >> openldap-clients installed on the puppet master.
> > >>
> > >> Right now I'm iterating through all the hbacrules and grepping
> > >> for the server in
> > >> question, then getting the details of that rule.  This is a lot
> > >> of requests.
> > >
> > >
> > > A valid RFE I would say...
> > > May be it should be an enhancement for the hbac-test tool?
> > > However getting a list of the users verbatim is probably costly
> too.
> > > May be it would make sense for you to create a group of AIX users
> > > in IPA and then fetch it from the puppet master traverse its
> > > memberOf attribute for list of members?
> > > It will not use HBAC but still would provide some access control
> > > optimization.
> > > Will that solve the problem for you?
> > >
> > >
> > > I thought about that, but there are some drawbacks.  I don't have "a"
> > > group of AIX users that access all AIX machines.  I have a bunch of
> > > different AIX machines with different user sets.  I can create a group
> > > for each host called hostname_access -- but then I'm just replicating
> > > (quite inefficently) information that already exists in the HBAC
> > > rules.  I can probably create one rule per host in HBAC and query that
> > > particular rule for the allowed users, but this loses the benefit of
> > > being able to use host and user groups.  This is probably where we'll
> > > end up, though, since it's the least-effort-to-implement (if worst to
> > > maintain) option.
> > >
> > > How does sssd determine if a user is allowed access?  Another option
> > > may be to replicate that functionality in a program or script on the
> > > puppet master and have it populate some files once a day or so.
> > >  Alternately we could write a PAM module for AIX that replicates that
> > > functionality.  Right now, though, I have no idea how it's done in
> > > SSSD (a pointer to where it is in the code would be helpful, even.)
> > > --
> > > The government is going to read our mail anyway, might as well make it
> > > tough for them.  GPG Public key ID:  B6A1A7C6
> >
> > SSSD and IPA share the same library.
> > I do not remember the name of it but it takes input: user, host, service
> > and determines whether user is allowed or not.
> > It is written in C. So it probably can be ported to AIX.
> >
>
> The library that evaluates the rules comes from sssd and is called
> libipa_hbac.
>
> I actually wanted to implement the same couple of months ago
> to run on my NAS (which can't realistically run SSSD) at home:
> https://github.com/jhrozek/pam_hbac
>
> It's not complete but perhaps it's a start.
>


Thanks, Jakub, I'll take a look.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-10 Thread Jakub Hrozek

On Tue, Jul 09, 2013 at 06:43:55PM -0400, Dmitri Pal wrote:
> On 07/09/2013 06:01 PM, KodaK wrote:
> >
> >
> > On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal  > > wrote:
> >
> > On 07/09/2013 03:57 PM, KodaK wrote:
> >>
> >>
> >> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden
> >> mailto:rcrit...@redhat.com>> wrote:
> >>
> >>
> >> HBAC is enforced by sssd, so no sssd, no HBAC.
> >>
> >> I think you need to use pam_access to limit users in AIX.
> >>
> >>
> >> I have some work-arounds now, but I'd like to find a way to
> >> automate them.  What
> >> I need is a way to ask IPA "who is allowed to access this
> >> particular server?"
> >>
> >> The goal is go just get a list of allowed users, then there are
> >> various mechanisms
> >> I can employ to allow access to only the listed users.  I plan to
> >> do this from the
> >> puppet master so I can push the configs from there.  I have
> >> ipa-admintools and
> >> openldap-clients installed on the puppet master.
> >>
> >> Right now I'm iterating through all the hbacrules and grepping
> >> for the server in 
> >> question, then getting the details of that rule.  This is a lot
> >> of requests.
> >
> >
> > A valid RFE I would say...
> > May be it should be an enhancement for the hbac-test tool?
> > However getting a list of the users verbatim is probably costly too.
> > May be it would make sense for you to create a group of AIX users
> > in IPA and then fetch it from the puppet master traverse its
> > memberOf attribute for list of members?
> > It will not use HBAC but still would provide some access control
> > optimization.
> > Will that solve the problem for you?
> >
> >
> > I thought about that, but there are some drawbacks.  I don't have "a"
> > group of AIX users that access all AIX machines.  I have a bunch of
> > different AIX machines with different user sets.  I can create a group
> > for each host called hostname_access -- but then I'm just replicating
> > (quite inefficently) information that already exists in the HBAC
> > rules.  I can probably create one rule per host in HBAC and query that
> > particular rule for the allowed users, but this loses the benefit of
> > being able to use host and user groups.  This is probably where we'll
> > end up, though, since it's the least-effort-to-implement (if worst to
> > maintain) option.
> >
> > How does sssd determine if a user is allowed access?  Another option
> > may be to replicate that functionality in a program or script on the
> > puppet master and have it populate some files once a day or so.
> >  Alternately we could write a PAM module for AIX that replicates that
> > functionality.  Right now, though, I have no idea how it's done in
> > SSSD (a pointer to where it is in the code would be helpful, even.)
> > -- 
> > The government is going to read our mail anyway, might as well make it
> > tough for them.  GPG Public key ID:  B6A1A7C6 
> 
> SSSD and IPA share the same library.
> I do not remember the name of it but it takes input: user, host, service
> and determines whether user is allowed or not.
> It is written in C. So it probably can be ported to AIX.
> 

The library that evaluates the rules comes from sssd and is called libipa_hbac.

I actually wanted to implement the same couple of months ago
to run on my NAS (which can't realistically run SSSD) at home:
https://github.com/jhrozek/pam_hbac

It's not complete but perhaps it's a start.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-09 Thread Dmitri Pal

On 07/09/2013 06:01 PM, KodaK wrote:
>
>
> On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal  > wrote:
>
> On 07/09/2013 03:57 PM, KodaK wrote:
>>
>>
>> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden
>> mailto:rcrit...@redhat.com>> wrote:
>>
>>
>> HBAC is enforced by sssd, so no sssd, no HBAC.
>>
>> I think you need to use pam_access to limit users in AIX.
>>
>>
>> I have some work-arounds now, but I'd like to find a way to
>> automate them.  What
>> I need is a way to ask IPA "who is allowed to access this
>> particular server?"
>>
>> The goal is go just get a list of allowed users, then there are
>> various mechanisms
>> I can employ to allow access to only the listed users.  I plan to
>> do this from the
>> puppet master so I can push the configs from there.  I have
>> ipa-admintools and
>> openldap-clients installed on the puppet master.
>>
>> Right now I'm iterating through all the hbacrules and grepping
>> for the server in 
>> question, then getting the details of that rule.  This is a lot
>> of requests.
>
>
> A valid RFE I would say...
> May be it should be an enhancement for the hbac-test tool?
> However getting a list of the users verbatim is probably costly too.
> May be it would make sense for you to create a group of AIX users
> in IPA and then fetch it from the puppet master traverse its
> memberOf attribute for list of members?
> It will not use HBAC but still would provide some access control
> optimization.
> Will that solve the problem for you?
>
>
> I thought about that, but there are some drawbacks.  I don't have "a"
> group of AIX users that access all AIX machines.  I have a bunch of
> different AIX machines with different user sets.  I can create a group
> for each host called hostname_access -- but then I'm just replicating
> (quite inefficently) information that already exists in the HBAC
> rules.  I can probably create one rule per host in HBAC and query that
> particular rule for the allowed users, but this loses the benefit of
> being able to use host and user groups.  This is probably where we'll
> end up, though, since it's the least-effort-to-implement (if worst to
> maintain) option.
>
> How does sssd determine if a user is allowed access?  Another option
> may be to replicate that functionality in a program or script on the
> puppet master and have it populate some files once a day or so.
>  Alternately we could write a PAM module for AIX that replicates that
> functionality.  Right now, though, I have no idea how it's done in
> SSSD (a pointer to where it is in the code would be helpful, even.)
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6 

SSSD and IPA share the same library.
I do not remember the name of it but it takes input: user, host, service
and determines whether user is allowed or not.
It is written in C. So it probably can be ported to AIX.

Here is another option, I do not know if that would work for you.
It really depends on your setup.
You can allow SSH into AIX machines only from a corresponding gateway
machine.
Say you have 5 classes of AIX machines then you will have 5 gateway
machines.
The access to a set of AIX machines will be restricted to SSH from a
gateway system.
Logging to a gateway system would be protected with HBAC.

Not the best but yet an alternative approach.

If you go with the "implement yourself approach" on the puppet master
you should taker a look at the code of the library and see how it does
things. It might be a good start.


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-09 Thread KodaK

On Tue, Jul 9, 2013 at 4:27 PM, Dmitri Pal  wrote:

>  On 07/09/2013 03:57 PM, KodaK wrote:
>
>
>
> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden wrote:
>
>>
>> HBAC is enforced by sssd, so no sssd, no HBAC.
>>
>> I think you need to use pam_access to limit users in AIX.
>>
>>
>  I have some work-arounds now, but I'd like to find a way to automate
> them.  What
> I need is a way to ask IPA "who is allowed to access this particular
> server?"
>
>  The goal is go just get a list of allowed users, then there are various
> mechanisms
> I can employ to allow access to only the listed users.  I plan to do this
> from the
> puppet master so I can push the configs from there.  I have ipa-admintools
> and
> openldap-clients installed on the puppet master.
>
>  Right now I'm iterating through all the hbacrules and grepping for the
> server in
> question, then getting the details of that rule.  This is a lot of
> requests.
>
>
>
> A valid RFE I would say...
> May be it should be an enhancement for the hbac-test tool?
> However getting a list of the users verbatim is probably costly too.
> May be it would make sense for you to create a group of AIX users in IPA
> and then fetch it from the puppet master traverse its memberOf attribute
> for list of members?
> It will not use HBAC but still would provide some access control
> optimization.
> Will that solve the problem for you?
>

I thought about that, but there are some drawbacks.  I don't have "a" group
of AIX users that access all AIX machines.  I have a bunch of different AIX
machines with different user sets.  I can create a group for each host
called hostname_access -- but then I'm just replicating (quite
inefficently) information that already exists in the HBAC rules.  I can
probably create one rule per host in HBAC and query that particular rule
for the allowed users, but this loses the benefit of being able to use host
and user groups.  This is probably where we'll end up, though, since it's
the least-effort-to-implement (if worst to maintain) option.

How does sssd determine if a user is allowed access?  Another option may be
to replicate that functionality in a program or script on the puppet master
and have it populate some files once a day or so.  Alternately we could
write a PAM module for AIX that replicates that functionality.  Right now,
though, I have no idea how it's done in SSSD (a pointer to where it is in
the code would be helpful, even.)
-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-09 Thread Dmitri Pal

On 07/09/2013 03:57 PM, KodaK wrote:
>
>
> On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden  > wrote:
>
>
> HBAC is enforced by sssd, so no sssd, no HBAC.
>
> I think you need to use pam_access to limit users in AIX.
>
>
> I have some work-arounds now, but I'd like to find a way to automate
> them.  What
> I need is a way to ask IPA "who is allowed to access this particular
> server?"
>
> The goal is go just get a list of allowed users, then there are
> various mechanisms
> I can employ to allow access to only the listed users.  I plan to do
> this from the
> puppet master so I can push the configs from there.  I have
> ipa-admintools and
> openldap-clients installed on the puppet master.
>
> Right now I'm iterating through all the hbacrules and grepping for the
> server in 
> question, then getting the details of that rule.  This is a lot of
> requests.


A valid RFE I would say...
May be it should be an enhancement for the hbac-test tool?
However getting a list of the users verbatim is probably costly too.
May be it would make sense for you to create a group of AIX users in IPA
and then fetch it from the puppet master traverse its memberOf attribute
for list of members?
It will not use HBAC but still would provide some access control
optimization.
Will that solve the problem for you?


>
>
> -- 
> The government is going to read our mail anyway, might as well make it
> tough for them.  GPG Public key ID:  B6A1A7C6
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-09 Thread KodaK

On Mon, Jul 8, 2013 at 12:50 PM, Rob Crittenden  wrote:

>
> HBAC is enforced by sssd, so no sssd, no HBAC.
>
> I think you need to use pam_access to limit users in AIX.
>
>
I have some work-arounds now, but I'd like to find a way to automate them.
 What
I need is a way to ask IPA "who is allowed to access this particular
server?"

The goal is go just get a list of allowed users, then there are various
mechanisms
I can employ to allow access to only the listed users.  I plan to do this
from the
puppet master so I can push the configs from there.  I have ipa-admintools
and
openldap-clients installed on the puppet master.

Right now I'm iterating through all the hbacrules and grepping for the
server in
question, then getting the details of that rule.  This is a lot of requests.

-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-08 Thread Rob Crittenden


KodaK wrote:

We've just discovered that AIX does not honor HBAC rules with telnet.
  ssh is fine.

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser
--host=sla765q1.unix.magellanhealth.com
 --service=sshd
-
Access granted: False
-

There was no telnet service by default, I created one (but I'm not sure
I did so correctly.)

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser
--host=sla765q1.unix.magellanhealth.com
 --service=telnet
-
Access granted: False
-

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser
--host=sla765q1.unix.magellanhealth.com

Service: any
-
Access granted: False
-

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser
--host=sla765q1.unix.magellanhealth.com
 --service=login
-
Access granted: False
-

But:

[jebalicki@mo0033802 ~]$ telnet sla765q1
Trying 10.200.5.137...
Connected to sla765q1.
Escape character is '^]'.
  telnet (sla765q1.unix.magellanhealth.com
)
[login banner and blank lines removed]
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: testuser
testuser's Password:
-bash-3.2$ logout
Connection closed by foreign host.

AIX was configured with standard authentication at first:

r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Standard Aix

But I changed that to add kerberos:

r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Kerberos 5
Standard Aix

However, all that does is cause kerberos to timeout on the invalid user
and then fall back to allowing the user in anyway.

I'm still investigating to see if this is an implementation problem, or
if AIX is just incapable of this.

I continue to lobby for turning off telnet, but there is political
pressure to keep it open.

Anyone have any ideas for things I could try?


HBAC is enforced by sssd, so no sssd, no HBAC.

I think you need to use pam_access to limit users in AIX.

rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

2013-07-08 Thread KodaK

We've just discovered that AIX does not honor HBAC rules with telnet.  ssh
is fine.

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=sshd
-
Access granted: False
-

There was no telnet service by default, I created one (but I'm not sure I
did so correctly.)

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=telnet
-
Access granted: False
-

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com
Service: any
-
Access granted: False
-

[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host=
sla765q1.unix.magellanhealth.com --service=login
-
Access granted: False
-

But:

[jebalicki@mo0033802 ~]$ telnet sla765q1
Trying 10.200.5.137...
Connected to sla765q1.
Escape character is '^]'.
 telnet (sla765q1.unix.magellanhealth.com)
[login banner and blank lines removed]
AIX Version 6
Copyright IBM Corporation, 1982, 2011.
login: testuser
testuser's Password:
-bash-3.2$ logout
Connection closed by foreign host.

AIX was configured with standard authentication at first:

r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Standard Aix

But I changed that to add kerberos:

r...@sla765q1.unix.magellanhealth.com:/etc/security/ldap # lsauthent
Kerberos 5
Standard Aix

However, all that does is cause kerberos to timeout on the invalid user and
then fall back to allowing the user in anyway.

I'm still investigating to see if this is an implementation problem, or if
AIX is just incapable of this.

I continue to lobby for turning off telnet, but there is political pressure
to keep it open.

Anyone have any ideas for things I could try?

Thanks,

--Jason


-- 
The government is going to read our mail anyway, might as well make it
tough for them.  GPG Public key ID:  B6A1A7C6
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

Re: [Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

[Freeipa-users] Glaring hole in AIX telnet regarding HBAC rules

19 matches

Site Navigation

Mail list logo

Footer information