verified using ipa-server-2.0.0-23.el6.x86_64 ipa-client-2.0-14.el5 steps: # ipa hbacrule-add Rule name: denyssh Rule type: deny ------------------------- Added HBAC rule "denyssh" ------------------------- Rule name: denyssh Rule type: deny Enabled: TRUE # ipa hbacrule-add-host Rule name: denyssh [host]: ipaqa64vma.testrelm [hostgroup]: Rule name: denyssh Rule type: deny Enabled: TRUE Hosts: ipaqa64vma.testrelm ------------------------- Number of members added 1 ------------------------- # ipa hbacrule-add-user Rule name: denyssh [user]: one [group]: Rule name: denyssh Rule type: deny Enabled: TRUE Users: one Hosts: ipaqa64vma.testrelm ------------------------- Number of members added 1 ------------------------- # ipa hbacrule-add-service Rule name: denyssh [hbacsvc]: sshd [hbacsvcgroup]: Rule name: denyssh Rule type: deny Enabled: TRUE Users: one Hosts: ipaqa64vma.testrelm Services: sshd ------------------------- Number of members added 1 ------------------------- Followed the same steps to add a rule allowssh: # ipa hbacrule-show --all Rule name: allowssh dn: ipauniqueid=0e6974f8-7d89-11e0-a2d2-021016980183,cn=hbac,dc=testrelm Rule name: allowssh Rule type: allow Source host category: all Enabled: TRUE Users: two Hosts: ipaqa64vma.testrelm Services: sshd ipauniqueid: 0e6974f8-7d89-11e0-a2d2-021016980183 memberindirect: fqdn=ipaqa64vma.testrelm,cn=computers,cn=accounts,dc=testrelm, uid=two,cn=users,cn=accounts,dc=testrelm objectclass: ipaassociation, ipahbacrule #ipa hbacrule-mod --srchostcat=all allowssh # ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------ ssh one one's password: Connection closed by 10.16.98.182 and user two could ssh successfully.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-0975.html