In our setup, a service is running on some server machine, say, "sample/servername.domain" and a client for that service is running on a workstation (using the sample gssapi client and server code from the kerberos sources). Now, what is the proper way to do this in freeipa?
1. Allow users foo and bar to log in to the workstation but to no other machine of the kerberos real. 2. Deny access to sample/servername.domain from any host except from the workstation. 3. Allow user foo access the service. 4. Deny user bar access the service. 5. Deny both users access to anything else on the server.
I don't quite understand how that fits into chapter 10/19 or 31 of the "Linux Domain Identity, Authentication, and Policy Guide" for RHEL 7". Chapter 10 deals with access to freeipa internal objects, and chapter 31 describes host based access control. But how is access control done for someuser@clientmachine -> service@servermachine?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
On ma, 29 kesä 2020, Dominik Vogt via FreeIPA-users wrote:
In our setup, a service is running on some server machine, say, "sample/servername.domain" and a client for that service is running on a workstation (using the sample gssapi client and server code from the kerberos sources). Now, what is the proper way to do this in freeipa?
- Allow users foo and bar to log in to the workstation but to no
other machine of the kerberos real. 2. Deny access to sample/servername.domain from any host except from the workstation. 3. Allow user foo access the service. 4. Deny user bar access the service. 5. Deny both users access to anything else on the server.
I don't quite understand how that fits into chapter 10/19 or 31 of the "Linux Domain Identity, Authentication, and Policy Guide" for RHEL 7". Chapter 10 deals with access to freeipa internal objects, and chapter 31 describes host based access control. But how is access control done for someuser@clientmachine -> service@servermachine?
A recommended way is to teach your application to use PAM for authorization and set PAM configuration to use pam_sss.so for session and access checks. SSSD will handle HBAC rules application automatically once your app will try to do access check for a user.
HBAC rules do not have limits per source from where application does get a request because that is relatively easy to spoof.
The rest as documented for HBAC rules applies here.
Sure, you might want to try to deny an application level access to connections that do not come from a specific host but this is outside of HBAC and more of application logic.
Note that in Kerberos you are not guaranteed to assert any decisions based on the source address of an incoming connection which presents a kerberos service ticket. You might get the information from the ticket itself but it could be wrong due to use of NATs and other types of firewall traversing.
On Mon, Jun 29, 2020 at 02:02:58PM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ma, 29 kesÃ?? 2020, Dominik Vogt via FreeIPA-users wrote:
In our setup, a service is running on some server machine, say, "sample/servername.domain" and a client for that service is running on a workstation (using the sample gssapi client and server code from the kerberos sources). Now, what is the proper way to do this in freeipa?
- Allow users foo and bar to log in to the workstation but to no
other machine of the kerberos real. 2. Deny access to sample/servername.domain from any host except from the workstation. 3. Allow user foo access the service. 4. Deny user bar access the service. 5. Deny both users access to anything else on the server.
...
A recommended way is to teach your application to use PAM for authorization and set PAM configuration to use pam_sss.so for session and access checks. SSSD will handle HBAC rules application automatically once your app will try to do access check for a user.
Thanks for the info.
We now have a sample client-server that uses gssapi to connect, and a sample program that does authorization via pam. So, the complete solution would be:
* Use gssapi from the sample program to connect the client with the server and authenticate the user. * Somehow extract the (authenticated) username from the connection established by gssapi. * Pass the username to pam_authenticate(). * Set up the pam config file for the service to use pam_sss to check, say, that the user in a certain group that ist allowed.
Correct?
Is gssapi a sensible choice of programming interface to implement this, or should one rather use a higher level library like sasl?
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt
freeipa-users@lists.fedorahosted.org