On ma, 29 kesä 2020, Dominik Vogt via FreeIPA-users wrote:
In our setup, a service is running on some server machine, say,
"sample/servername.domain" and a client for that service is
running on a workstation (using the sample gssapi client and
server code from the kerberos sources). Now, what is the proper
way to do this in freeipa?
1. Allow users foo and bar to log in to the workstation but to no
other machine of the kerberos real.
2. Deny access to sample/servername.domain from any host except
from the workstation.
3. Allow user foo access the service.
4. Deny user bar access the service.
5. Deny both users access to anything else on the server.
I don't quite understand how that fits into chapter 10/19 or 31 of
the "Linux Domain Identity, Authentication, and Policy Guide" for
RHEL 7". Chapter 10 deals with access to freeipa internal
objects, and chapter 31 describes host based access control. But
how is access control done for someuser@clientmachine ->
service@servermachine?
A recommended way is to teach your application to use PAM for
authorization and set PAM configuration to use pam_sss.so for session
and access checks. SSSD will handle HBAC rules application
automatically once your app will try to do access check for a user.
HBAC rules do not have limits per source from where application does get
a request because that is relatively easy to spoof.
The rest as documented for HBAC rules applies here.
Sure, you might want to try to deny an application level access to
connections that do not come from a specific host but this is outside of
HBAC and more of application logic.
Note that in Kerberos you are not guaranteed to assert any decisions
based on the source address of an incoming connection which presents a
kerberos service ticket. You might get the information from the ticket
itself but it could be wrong due to use of NATs and other types of
firewall traversing.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
