678032 – Remove HBAC time rules from SSSD

Bug 678032 - Remove HBAC time rules from SSSD

Summary: Remove HBAC time rules from SSSD

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	5.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:	676401
Blocks:	712137
TreeView+	depends on / blocked

Reported:	2011-02-16 15:03 UTC by Stephen Gallagher
Modified:	2015-01-04 23:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sssd-1.5.1-7.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:	676401
Environment:
Last Closed:	2011-07-21 08:10:49 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0975	0	normal	SHIPPED_LIVE	Low: sssd security, bug fix, and enhancement update	2011-07-21 08:09:03 UTC

Comment 2 Namita Soman 2011-05-13 18:24:25 UTC

verified using 
ipa-server-2.0.0-23.el6.x86_64
ipa-client-2.0-14.el5

steps:
# ipa hbacrule-add 
Rule name: denyssh
Rule type: deny
-------------------------
Added HBAC rule "denyssh"
-------------------------
  Rule name: denyssh
  Rule type: deny
  Enabled: TRUE

# ipa  hbacrule-add-host 
Rule name: denyssh
[host]: ipaqa64vma.testrelm
[hostgroup]: 
  Rule name: denyssh
  Rule type: deny
  Enabled: TRUE
  Hosts: ipaqa64vma.testrelm
-------------------------
Number of members added 1
-------------------------

# ipa  hbacrule-add-user
Rule name: denyssh
[user]: one
[group]: 
  Rule name: denyssh
  Rule type: deny
  Enabled: TRUE
  Users: one
  Hosts: ipaqa64vma.testrelm
-------------------------
Number of members added 1
-------------------------

# ipa  hbacrule-add-service
Rule name: denyssh
[hbacsvc]: sshd
[hbacsvcgroup]: 
  Rule name: denyssh
  Rule type: deny
  Enabled: TRUE
  Users: one
  Hosts: ipaqa64vma.testrelm
  Services: sshd
-------------------------
Number of members added 1
-------------------------



Followed the same steps to add a rule allowssh:
# ipa hbacrule-show --all
Rule name: allowssh
  dn: ipauniqueid=0e6974f8-7d89-11e0-a2d2-021016980183,cn=hbac,dc=testrelm
  Rule name: allowssh
  Rule type: allow
  Source host category: all
  Enabled: TRUE
  Users: two
  Hosts: ipaqa64vma.testrelm
  Services: sshd
  ipauniqueid: 0e6974f8-7d89-11e0-a2d2-021016980183
  memberindirect: fqdn=ipaqa64vma.testrelm,cn=computers,cn=accounts,dc=testrelm, uid=two,cn=users,cn=accounts,dc=testrelm
  objectclass: ipaassociation, ipahbacrule

#ipa hbacrule-mod --srchostcat=all  allowssh

# ipa  hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------


ssh one
one's password: 
Connection closed by 10.16.98.182


and user two could ssh successfully.

Comment 4 errata-xmlrpc 2011-07-21 08:10:49 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0975.html

Note You need to log in before you can comment on or make changes to this bug.