We've just discovered that AIX does not honor HBAC rules with telnet. ssh is fine.
[jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=sshd --------------------- Access granted: False --------------------- There was no telnet service by default, I created one (but I'm not sure I did so correctly.) [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=telnet --------------------- Access granted: False --------------------- [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com Service: any --------------------- Access granted: False --------------------- [jebalicki@mo0033802 ~]$ ipa hbactest --user=testuser --host= sla765q1.unix.magellanhealth.com --service=login --------------------- Access granted: False --------------------- But: [jebalicki@mo0033802 ~]$ telnet sla765q1 Trying 10.200.5.137... Connected to sla765q1. Escape character is '^]'. telnet (sla765q1.unix.magellanhealth.com) [login banner and blank lines removed] AIX Version 6 Copyright IBM Corporation, 1982, 2011. login: testuser testuser's Password: -bash-3.2$ logout Connection closed by foreign host. AIX was configured with standard authentication at first: [email protected]:/etc/security/ldap # lsauthent Standard Aix But I changed that to add kerberos: [email protected]:/etc/security/ldap # lsauthent Kerberos 5 Standard Aix However, all that does is cause kerberos to timeout on the invalid user and then fall back to allowing the user in anyway. I'm still investigating to see if this is an implementation problem, or if AIX is just incapable of this. I continue to lobby for turning off telnet, but there is political pressure to keep it open. Anyone have any ideas for things I could try? Thanks, --Jason -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
