Hi List
I’ve been struggling with this for a while and I would really appreciate some advice. I have an openvpn server using freeIPA to authenticate users logging into the office VPN. Currently all users have access to all services on the OpenVPN server. How do I use HBAC to properly restrict them to just OpenVPN? Do I need them to have access to anything else?
Sina Owolabi via FreeIPA-users wrote:
Hi List
I’ve been struggling with this for a while and I would really appreciate some advice. I have an openvpn server using freeIPA to authenticate users logging into the office VPN. Currently all users have access to all services on the OpenVPN server. How do I use HBAC to properly restrict them to just OpenVPN? Do I need them to have access to anything else?
You need to start by creating HBAC rules that grant general access to systems. IPA ships with a default rule, allow_all, which allows HBAC access on all services to all systems.
You'll need disable this rule but first you have to put other rules into place which grant access to the systems you need access to (e.g. you could create a ssh rule that allows all IPA admins to access all hosts).
What HBAC rules you need for OpenVPN depends on how you have OpenVPN configured for auth.
rob
Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Sina Owolabi via FreeIPA-users wrote:
Hi List
I’ve been struggling with this for a while and I would really appreciate some advice. I have an openvpn server using freeIPA to authenticate users logging into the office VPN. Currently all users have access to all services on the OpenVPN server. How do I use HBAC to properly restrict them to just OpenVPN? Do I need them to have access to anything else?
...
What HBAC rules you need for OpenVPN depends on how you have OpenVPN configured for auth.
To elaborate that somewhat more: It depends how you authenticate your users. The most simple way is to enable PAM authentication in your server config:
,---- | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn `----
Then you create a file /etc/pam.d/openvpn and can use sssd there. Your HBAC rule needs to allow the openvpn service for the users.
You could also authenticate against LDAP or RADIUS and juggle with groups, but PAM is really easier.
Jochen
Thanks everyone
Im sorry I should have come much clearer, I apologize. Yes I use PAM with openvpn to authenticate user clients "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login" I'm also running a HBAC controlled IPA environment but the rule for vpnusers is a --servicecat=all:
Rule name: allowvpnusers Service category: all Enabled: TRUE User Groups: vpnusers Hosts: vpn.internaldom.com
What I wanted to know, is what specific services can I allow for the vpnusers, instead of granting them full access to the server.
On Mon, Sep 17, 2018 at 4:49 PM Jochen Hein jochen@jochen.org wrote:
Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Sina Owolabi via FreeIPA-users wrote:
Hi List
I’ve been struggling with this for a while and I would really appreciate some advice. I have an openvpn server using freeIPA to authenticate users logging into the office VPN. Currently all users have access to all services on the OpenVPN server. How do I use HBAC to properly restrict them to just OpenVPN? Do I need them to have access to anything else?
...
What HBAC rules you need for OpenVPN depends on how you have OpenVPN configured for auth.
To elaborate that somewhat more: It depends how you authenticate your users. The most simple way is to enable PAM authentication in your server config:
,---- | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn `----
Then you create a file /etc/pam.d/openvpn and can use sssd there. Your HBAC rule needs to allow the openvpn service for the users.
You could also authenticate against LDAP or RADIUS and juggle with groups, but PAM is really easier.
Jochen
-- This space is intentionally left blank.
On ti, 18 syys 2018, Sina Owolabi via FreeIPA-users wrote:
Thanks everyone
Im sorry I should have come much clearer, I apologize. Yes I use PAM with openvpn to authenticate user clients "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login" I'm also running a HBAC controlled IPA environment but the rule for vpnusers is a --servicecat=all:
Rule name: allowvpnusers Service category: all Enabled: TRUE User Groups: vpnusers Hosts: vpn.internaldom.com
What I wanted to know, is what specific services can I allow for the vpnusers, instead of granting them full access to the server.
The name of the pam config file. HBAC service names = names of configurations for PAM, in /etc/pam.d/<name>.
On Mon, Sep 17, 2018 at 4:49 PM Jochen Hein jochen@jochen.org wrote:
Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Sina Owolabi via FreeIPA-users wrote:
Hi List
I’ve been struggling with this for a while and I would really appreciate some advice. I have an openvpn server using freeIPA to authenticate users logging into the office VPN. Currently all users have access to all services on the OpenVPN server. How do I use HBAC to properly restrict them to just OpenVPN? Do I need them to have access to anything else?
...
What HBAC rules you need for OpenVPN depends on how you have OpenVPN configured for auth.
To elaborate that somewhat more: It depends how you authenticate your users. The most simple way is to enable PAM authentication in your server config:
,---- | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn `----
Then you create a file /etc/pam.d/openvpn and can use sssd there. Your HBAC rule needs to allow the openvpn service for the users.
You could also authenticate against LDAP or RADIUS and juggle with groups, but PAM is really easier.
Jochen
-- This space is intentionally left blank.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Ok. Since the name of the pam I created is file is /etc/pam.d/openvpn, then this would be "ipa hbacsvc-add --desc="pam Openvpn service" openvpn" ...? On Tue, Sep 18, 2018 at 9:13 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 18 syys 2018, Sina Owolabi via FreeIPA-users wrote:
Thanks everyone
Im sorry I should have come much clearer, I apologize. Yes I use PAM with openvpn to authenticate user clients "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login" I'm also running a HBAC controlled IPA environment but the rule for vpnusers is a --servicecat=all:
Rule name: allowvpnusers Service category: all Enabled: TRUE User Groups: vpnusers Hosts: vpn.internaldom.com
What I wanted to know, is what specific services can I allow for the vpnusers, instead of granting them full access to the server.
The name of the pam config file. HBAC service names = names of configurations for PAM, in /etc/pam.d/<name>.
On Mon, Sep 17, 2018 at 4:49 PM Jochen Hein jochen@jochen.org wrote:
Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Sina Owolabi via FreeIPA-users wrote:
Hi List
I’ve been struggling with this for a while and I would really appreciate some advice. I have an openvpn server using freeIPA to authenticate users logging into the office VPN. Currently all users have access to all services on the OpenVPN server. How do I use HBAC to properly restrict them to just OpenVPN? Do I need them to have access to anything else?
...
What HBAC rules you need for OpenVPN depends on how you have OpenVPN configured for auth.
To elaborate that somewhat more: It depends how you authenticate your users. The most simple way is to enable PAM authentication in your server config:
,---- | plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn `----
Then you create a file /etc/pam.d/openvpn and can use sssd there. Your HBAC rule needs to allow the openvpn service for the users.
You could also authenticate against LDAP or RADIUS and juggle with groups, but PAM is really easier.
Jochen
-- This space is intentionally left blank.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ti, 18 syys 2018, Sina Owolabi wrote:
Ok. Since the name of the pam I created is file is /etc/pam.d/openvpn, then this would be "ipa hbacsvc-add --desc="pam Openvpn service" openvpn" ...?
Yes.
Thank you very much for this. I'll set about re-creating the vpn users rules then. On Tue, Sep 18, 2018 at 10:28 AM Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 18 syys 2018, Sina Owolabi wrote:
Ok. Since the name of the pam I created is file is /etc/pam.d/openvpn, then this would be "ipa hbacsvc-add --desc="pam Openvpn service" openvpn" ...?
Yes.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Sina Owolabi via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Yes I use PAM with openvpn to authenticate user clients "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login" I'm also running a HBAC controlled IPA environment but the rule for vpnusers is a --servicecat=all:
Rule name: allowvpnusers Service category: all Enabled: TRUE User Groups: vpnusers Hosts: vpn.internaldom.com
You use the login configuration for PAM. Either use that service or change the parameter to openvpn-plugin-auth-pam.so to openvpn.
Jochen
freeipa-users@lists.fedorahosted.org