On Thu, 2018-04-26 at 21:02 -0400, Rob Crittenden via FreeIPA-users
wrote:
Let me add a point here that may escape the casual viewer.> Ildefonso Camargo via FreeIPA-users wrote:
> > Hello,
> >
> > At this point I am mostly looking for confirmation/denial of the
> > following observed behavior:
> >
> > FreeIPA Kerberos will issue service tickets to a user with a valid TGT
> > regardless of access control rules (HBAC).
> >
> > Procedure to observe:
> >
> > 1. Create a test user.
> > 2. Allow that user to login to one host, and just one (via ssh or so),
> > HBAC is used.
> > 3. Check that the user has a TGT (klist),or issue kinit as needed.
> > 4. Try to ssh (or connect to any other Kerberos service) to any other
> > server, you will probably get access denied (PAM-based services) because
> > of HBAC, or even allowed (Kerberos-based services that do not use PAM).
> > 5. Get that ticket list again: you got service ticket for every single
> > host, even the ones to which you do not have access.
> >
> > This is causing me great grieving ( :( ), because I was hoping to
> > control authorization to a Kerberos service using FreeIPA, it turns out
> > it just allows everyone in and now I have to add authorization at the
> > service level, which could eventually use PAM, but... come on, why
> > doesn't FreeIPA inspect access policies before issuing the ticket?
> > (unless it does and I am missing something?)
>
> HBAC enforcement is done per host, on the pam level by service name. So
> if a service does not use PAM then HBAC does not apply.
>
> > So... can you confirm if what I found is the way it is supposed to work
> > in its current state? (version 4.5.0)
>
> Yes it is working as designed.
Using PAM does not mean "authenticate via PAM", it means that the
software needs to run the PAM *account* stack to check if the user is
allowed to log in.
So you can safely use krb auth and still use HBAC rules provided the
software has switches to check the PAM account stack.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc