How to configure HBAC rules in IdM to allow specific users to login to clients via ssh
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Identity Management (IdM/IPA)
Issue
- I want to configure HBAC rules in IdM to allow only specific users to login to clients via ssh. How can I do this?
Resolution
By default, access is allowed for all users to all machines from any machine. This may not be desirable from a security standpoint so, to control SSH access amongst users/user groups and source/destination hosts/host groups, first disable the 'allow_all' HBAC rule and then add a rule for the SSH service at which point specific access rules can be specified.
The below steps will create HBAC rule to allow IPA user "test1" to ssh to machine1.example.com
-
Command to see default hbacrule.
# ipa hbacrule-find ------------------- 1 HBAC rule matched ------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE ---------------------------- Number of entries returned 1 ---------------------------- -
Delete or disable the default hbac rule (all access granted to all users):
# ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------# ipa hbacrule-find ------------------- 1 HBAC rule matched ------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: FALSE ---------------------------- Number of entries returned 1 ---------------------------- -
Create an hbac rule named "testrule1"
# ipa hbacrule-add testrule1 --------------------------- Added HBAC rule "testrule1" --------------------------- Rule name: testrule1 Enabled: TRUE -
Add source host to an existing hbacrule to which IPA user would connect via ssh:
# ipa hbacrule-add-host testrule1 --hosts=machine1.example.com Rule name: testrule1 Enabled: TRUE Hosts: machine1.example.com ------------------------- Number of members added 1 ------------------------- -
Add service that the user can use to connect to the machine.
# ipa hbacrule-add-service --hbacsvcs=sshd testrule1 Rule name: testrule1 Enabled: TRUE Users: test1 Hosts: machine1.example.com Services: sshd ------------------------- Number of members added 1 ------------------------- -
Add IPA user test1 to the above rule.
# ipa hbacrule-add-user testrule1 --users=test1 Rule name: testrule1 Enabled: TRUE Users: test1 Hosts: machine1.example.com ------------------------- Number of members added 1 ------------------------- -
Command to display the rule.
# ipa hbacrule-find testrule1 ------------------- 1 HBAC rule matched ------------------- Rule name: testrule1 Enabled: TRUE Users: test1 Hosts: machine1.example.com Services: sshd ---------------------------- Number of entries returned 1 ---------------------------- -
Execute below commands to test HBAC rule.
# ipa hbactest --user=test1 --host=machine1.example.com --service=sshd -------------------- Access granted: True -------------------- matched: testrule1 -
Here is the output of ssh for user test1.
# ssh test1@machine1.example.com test1@machine1.example.com's password: Creating home directory for test1. Last login: Fri Dec 23 17:32:26 2011 from machine2.example.com -
Note: HBAC rules will be checked only for target_user. In IdM, HBAC works based on rules check to confirm if a source user can use services like
sshorsuto login as target_user. If target_user is not mapped tosshand/orsuservice then login will fail.# ssh target_user@fqdn_hostname_of_ipa_client # su - target_user
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.