Kevin Vasko wrote: > Thanks Rob. > > ipa hbactest --user testaccount --host testsystem.example.com > --service sftp > -------------------- > Access granted: True > > ipa hbactest --user testaccount --host testsystem.example.com > --service sshd > -------------------- > Access granted: False > > So the HBAC works from FreeIPA...however when I actually put rubber to > the road > > "sftp [email protected]" > Password: > Connection closed by UNKNOWN port 65535 > Connection closed. > > On the server it is denying it because it seems to be using sshd like > Ahti Seier mentioned.
You'd have to enable debugging in SSSD to see what is happening. I did the same and copied the pam sshd to sftp and it just worked for me, assuming I didn't screw something up. rob > > > > On Tue, May 16, 2023 at 12:56 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Kevin Vasko via FreeIPA-users wrote: > > Try to make this simple. > > > > Have a HBAC, have the "Who" set to a user, have the "Accessing" > set to a > > server. > > > > Have the "Via Service" set to "sshd". The user can ssh into the server > > no issue. > > > > I want to limit this user to only being able to sftp into this server > > (no direct ssh). > > > > If I swap the "Via Service" from the sshd service to sftp that user is > > now denied. They cannot access the server via sftp or ssh. I would > > expect it to deny ssh access but allow sftp. > > > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it mentioned > > here > > > > https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed > > but that didn't seem to work. > > > > Can you point me to the instructions on how to make the HBAC work > with a > > particular service (e.g. sftp)? > > I just tested this and it works fine for me. I had to create an > allow_sshd HBAC rule which granted sshd access after I disabled the > allow_all rule. > > You can test your rules with: > ipa hbactest --user admin --host replica.example.test --service sshd > > and > > ipa hbactest --user admin --host replica.example.test --service sftp > > And replace user with whatever user can only access via sftp. It should > fail for sshd. > > It would help to see the output of these hbactest runs. > > rob > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
