Host based access control is easy with IPA/FreeIPA, very easy.
Lets assume you want to have a host group called rhel-prod, a usergroup called prod-admins and you want to let them access the servers in the rhel-prod group by ssh from any host that can reach the servers. Lets call the HBAC rule prod-admins.
You can either user the web GUI or use the command line interface.
Lets create the user group:
[root@ipa1 ~]# ipa group-add prod-admins --desc="Production System Admins" ------------------------- Added group "prod-admins" ------------------------- Group name: prod-admins Description: Production System Admins GID: 1222000004 [root@ipa1 ~]#
Add some users to the user group:
[root@ipa1 ~]# ipa group-add-member prod-admins --users=luc,htester Group name: prod-admins Description: Production System Admins GID: 1222000004 Member users: luc, htester ------------------------- Number of members added 2 ------------------------- [root@ipa1 ~]#
And the hostgroup
[root@ipa1 ~]# ipa hostgroup-add rhel-prod --desc "Production Servers" --------------------------- Added hostgroup "rhel-prod" --------------------------- Host-group: rhel-prod Description: Production Servers [root@ipa1 ~]#
Add some servers as members of the host group
[root@ipa1 ~]# ipa hostgroup-add-member rhel-prod --hosts=ipaclient1.example.com,ipaclient2.example.com Host-group: rhel-prod Description: Production Servers Member hosts: ipaclient1.example.com, ipaclient2.example.com ------------------------- Number of members added 2 ------------------------- [root@ipa1 ~]#
Note: the servers are comma separated, without a space after the comma
Lets define the HBAC rule:
[root@ipa1 ~]# ipa hbacrule-add --srchostcat=all prod-admins ----------------------------- Added HBAC rule "prod-admins" ----------------------------- Rule name: prod-admins Source host category: all Enabled: TRUE [root@ipa1 ~]#
Add the user group to the rule:
[root@ipa1 ~]# ipa hbacrule-add-user --groups prod-admins prod-admins Rule name: prod-admins Source host category: all Enabled: TRUE User Groups: prod-admins ------------------------- Number of members added 1 ------------------------- [root@ipa1 ~]#
Add the service to the rule:
[root@ipa1 ~]# ipa hbacrule-add-service --hbacsvcs sshd prod-admins Rule name: prod-admins Source host category: all Enabled: TRUE User Groups: prod-admins Services: sshd ------------------------- Number of members added 1 ------------------------- [root@ipa1 ~]#
And finally add the host group to the rule
[root@ipa1 ~]# ipa hbacrule-add-host --hostgroups rhel-prod prod-admins Rule name: prod-admins Source host category: all Enabled: TRUE User Groups: prod-admins Host Groups: rhel-prod Services: sshd ------------------------- Number of members added 1 ------------------------- [root@ipa1 ~]#
Of course you can enhance the rule by adding other services or restrict the access from particular hosts and so on.
Have fun 🙂
…and let’s assume that when you add a new mirror, it doesn’t all come apart at the seams, requiring re-adding every host to every hostgroup.
Oh wait, that’s not a reasonable expectation.
What do you mean with “mirror”?
Two things to note:
1) You listed the hbacrule-add line twice above.
2) It is best never to mention adding srchost rules to HBAC. It does not really work, due to issues with the way PAM fails to the properly verify where the connection is coming from. This is a flaw in the underlying subsystems, not the fault of FreeIPA. With this in mind, SSSD (the client side daemon that performs the authorization checks) does not support srchost checking by default. It can be added by specifying an option in sssd.conf. (The other reason for disabling it by default is performance)
Thanks for the hints 🙂