On ma, 29 kesä 2020, Dominik Vogt via FreeIPA-users wrote:

In our setup, a service is running on some server machine, say, "sample/servername.domain" and a client for that service is running on a workstation (using the sample gssapi client and server code from the kerberos sources). Now, what is the proper way to do this in freeipa?

1. Allow users foo and bar to log in to the workstation but to no

other machine of the kerberos real. 2. Deny access to sample/servername.domain from any host except from the workstation. 3. Allow user foo access the service. 4. Deny user bar access the service. 5. Deny both users access to anything else on the server.

I don't quite understand how that fits into chapter 10/19 or 31 of the "Linux Domain Identity, Authentication, and Policy Guide" for RHEL 7". Chapter 10 deals with access to freeipa internal objects, and chapter 31 describes host based access control. But how is access control done for someuser@clientmachine -> service@servermachine?

A recommended way is to teach your application to use PAM for authorization and set PAM configuration to use pam_sss.so for session and access checks. SSSD will handle HBAC rules application automatically once your app will try to do access check for a user.

HBAC rules do not have limits per source from where application does get a request because that is relatively easy to spoof.

The rest as documented for HBAC rules applies here.

Sure, you might want to try to deny an application level access to connections that do not come from a specific host but this is outside of HBAC and more of application logic.

Note that in Kerberos you are not guaranteed to assert any decisions based on the source address of an incoming connection which presents a kerberos service ticket. You might get the information from the ticket itself but it could be wrong due to use of NATs and other types of firewall traversing.