[Freeipa-users] Where do I find info on how to allow or stop users logging into hosts?
Stephen Gallagher
sgallagh at redhat.com
Tue Jun 14 11:30:12 UTC 2011
On Tue, 2011-06-14 at 01:34 +0000, Steven Jones wrote:
> Hmm,
>
> So whats the default rule? can i set precedence? is there any?
>
> Example.
>
> So Ive disabled the allow_all rule, I made a deny_all rule and then a
> rule to allow specific user groups to login to specific hostgroups
> servers....that didnt work...
DENY rules always win (meaning they override any ALLOW rule). So if you
have a DENY rule that matches everyone, your ALLOW rules will never
match.
HBAC rules work this way:
If no rules match, deny.
If one or more ALLOW rules match: grant access
unless one or more DENY rules match, in which case: deny.
>
> So I disabled the deny_all rule and users in the specific group can
> login to the specific server, and if I remove them from the user group
> they cannot login, so OK good BUT the trouble is a second user that is
> in no groups at all can also login to the servers, which shouldn't
> occur...or at least I odnt want that to occur...so something is set
> incorrectly.
>
> Is there a way to "suck out" the HBAC rules or whatever info for the
> user at the command line? I certainly cant find why that second user
> can login, it should not be able to, but it can.
'ipa hbacrule-find'
This will give you output like:
Rule name: testrule
Rule type: allow
Enabled: TRUE
Groups: ipausers
Hosts: client1.example.com
Source hosts: client2.example.com
Services: sshd
The meaning of the above rule is:
Any user in the group 'ipausers' can log into 'client1.example.com' FROM
client2.example.com using SSH.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110614/d4e7cf06/attachment.sig>
More information about the Freeipa-users
mailing list