Kevin Vasko wrote: > Rob, do you by chance maybe have sshd and sftp in your "Via Services" > permissions? If I have the sshd service enabled in my "Via services" > then "sftp" works for me as well, but it's still under the hood > authenticating with sshd even though I am trying to connect with the > "sftp" command. "pam_sss" in the logs show it's using sshd, even though > I have /etc/pam.d/sshd copied over in /etc/pam.d/sftp. I think this > might have something to do with "sftp" is actually using "sshd" to do > the auth? > > May 16 14:59:33 exampleserver sshd[65411]: pam_sss(sshd:auth): > authentication success; logname= uid=0 euid=0 tty=ssh ruser= > rhost=192.168.0.127 user=exampleserver > May 16 14:59:34 exampleserver sshd[65411]: pam_sss(sshd:account): Access > denied for user testuser: 6 (Permission denied)
So yeah, I think I did my testing a bit too quickly. I looked again and eenabled debug logging in sssd and the pam service that sftp uses is sshd. I think the suggestion to use groups for access control looks like your best bet. You might want to suggest to the openssh folks that a different pam service would be helpful. rob > > > > On Tue, May 16, 2023 at 4:06 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Kevin Vasko wrote: > > Thanks Rob. > > > > ipa hbactest --user testaccount --host testsystem.example.com > <http://testsystem.example.com> > > --service sftp > > -------------------- > > Access granted: True > > > > ipa hbactest --user testaccount --host testsystem.example.com > <http://testsystem.example.com> > > --service sshd > > -------------------- > > Access granted: False > > > > So the HBAC works from FreeIPA...however when I actually put rubber to > > the road > > > > "sftp [email protected] > <mailto:[email protected]>" > > Password: > > Connection closed by UNKNOWN port 65535 > > Connection closed. > > > > On the server it is denying it because it seems to be using sshd like > > Ahti Seier mentioned. > > You'd have to enable debugging in SSSD to see what is happening. I did > the same and copied the pam sshd to sftp and it just worked for me, > assuming I didn't screw something up. > > rob > > > > > > > > > On Tue, May 16, 2023 at 12:56 PM Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Kevin Vasko via FreeIPA-users wrote: > > > Try to make this simple. > > > > > > Have a HBAC, have the "Who" set to a user, have the "Accessing" > > set to a > > > server. > > > > > > Have the "Via Service" set to "sshd". The user can ssh into > the server > > > no issue. > > > > > > I want to limit this user to only being able to sftp into > this server > > > (no direct ssh). > > > > > > If I swap the "Via Service" from the sshd service to sftp > that user is > > > now denied. They cannot access the server via sftp or ssh. I > would > > > expect it to deny ssh access but allow sftp. > > > > > > I did copy "cp /etc/pam.d/sshd /etc/pam.d/sftp" as I saw it > mentioned > > > here > > > > > > > https://freeipa-users.redhat.narkive.com/tFQFZmNu/hbac-service-allowed-despite-not-listed > > > but that didn't seem to work. > > > > > > Can you point me to the instructions on how to make the HBAC > work > > with a > > > particular service (e.g. sftp)? > > > > I just tested this and it works fine for me. I had to create an > > allow_sshd HBAC rule which granted sshd access after I > disabled the > > allow_all rule. > > > > You can test your rules with: > > ipa hbactest --user admin --host replica.example.test > --service sshd > > > > and > > > > ipa hbactest --user admin --host replica.example.test > --service sftp > > > > And replace user with whatever user can only access via sftp. > It should > > fail for sshd. > > > > It would help to see the output of these hbactest runs. > > > > rob > > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
