On su, 30 huhti 2017, Alexey Kamenskiy wrote:
Thank you for your comment, please see below:
On Sun, Apr 30, 2017 at 3:51 AM, Alexander Bokovoy <aboko...@redhat.com>
wrote:
In FreeIPA HBAC rules we used to support source host access control.
However, it was disabled and deprecated. While SSSD still supports it,
PAM applications like sshd pass rhost information to PAM based on what
they received from their own clients.
There is no normalized way to report a trusted rhost value, so you might
get both CIDR or host name or fully qualified host name or spoofed
host name from PAM application.
In the end, FreeIPA disabled source host access control on its side.
SSSD still would try to enforce source host if the rule has it set but
unmodified FreeIPA HBAC management command do not add source host
attributes into the rules, so they never get matched by SSSD.
Applied to ssh, is the rhost visible to SSSd the one that client reports to
ssh server? Apologies if this is a stupid question, but is there any way
inside the SSSD to get source IP/fqdn without using rhost set by client?
That would help to avoid any spoofing possibility I guess.
OpenSSH bases its decision on the length of a hostname in utmp record,
with a catch. At least on Linux, UT_HOSTSIZE is 256 but MAXHOSTNAMELEN
in kernel is set to 64. OpenSSH uses the latter, not the former. So if
your hostname is shorter than 64 characters, it will be canonicalized
and provided to PAM stack as rhost. If not, your IP address will be
provided.
On the other hand to even spoof a remote host attacker needs to know which
host/IP is allowed to access and also which form is entered into LDAP.
It just need to be able to connect to your system multiple times, that's
all.
--
/ Alexander Bokovoy
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
