Discussion:
[Freeipa-users] Allow IPA users to create SSH tunnel with no shell
Albert Adams
2012-12-14 16:09:03 UTC
Permalink
In our environment we have several systems where users require access to
the system to setup an SSH tunnel but should not have a shell on the
system. Prior to rolling out IPA we accomplished this with the
authorized_keys file as follows:

command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your
webbrowser to connect to the tool\n\";while(1) { print localtime(time) .
\"\n\"; sleep
60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding

Is there a way to accomplish this in IPA?

Regards,
Albert
Peter Brown
2012-12-17 02:23:44 UTC
Permalink
Hi Albert,

Have you tried putting that command in the public key for the user in
freeipa and setting the user shell to /sbin/nologin or the equivalent?
Post by Albert Adams
In our environment we have several systems where users require access to
the system to setup an SSH tunnel but should not have a shell on the
system. Prior to rolling out IPA we accomplished this with the
command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your
webbrowser to connect to the tool\n\";while(1) { print localtime(time) .
\"\n\"; sleep
60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding
Is there a way to accomplish this in IPA?
Regards,
Albert
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Jan Cholasta
2012-12-17 09:08:59 UTC
Permalink
Hi,

this should work and you don't even have to set the shell to
/sbin/nologin (depends on whether you want the users to be able to login
to the system by other means or not), as the command directive in
authorized_keys takes precedence.

The tricky part is escaping the value correctly (there is shell
escaping, IPA CSV quote escaping and authorized_keys quote escaping in
effect):

$ ipa user-mod user --sshpubkey='"command=""/usr/bin/perl -e '\''$|=1;
print \""Tunnel created, use your webbrowser to connect to the
tool\n\"";while(1) { print localtime(time) . \""\n\""; sleep
60}'\''"",permitopen=""localhost:8834"",no-agent-forwarding,no-X11-forwarding
ssh-rsa ..."'

Honza
Post by Peter Brown
Hi Albert,
Have you tried putting that command in the public key for the user in
freeipa and setting the user shell to /sbin/nologin or the equivalent?
In our environment we have several systems where users require
access to the system to setup an SSH tunnel but should not have a
shell on the system. Prior to rolling out IPA we accomplished this
command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your
webbrowser to connect to the tool\n\";while(1) { print
localtime(time) . \"\n\"; sleep
60}'",permitopen="localhost:8834",no-agent-forwarding,no-X11-forwarding
Is there a way to accomplish this in IPA?
Regards,
Albert
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Jan Cholasta
Albert Adams
2012-12-17 14:07:57 UTC
Permalink
Thank you for the responses. I was initially attempting to set this value
via the web UI and if I entered anything other than the hash value of the
user's public key it would get rejected. After thinking about your
response I realize that I really need to determine a method of doing this
via a HBAC rule. If I accomplish this with authorized_keys then the user
is restricted across the board and would not be able to gain a shell on any
system whereas HBAC would allow me to restrict thier access as needed. We
currently require users to tunnel over SSH to gain access to certain
sensitive web apps (like Nessus) but those same users have shell access on
a few boxes. Thoughts??

Albert
Hi,
this should work and you don't even have to set the shell to /sbin/nologin
(depends on whether you want the users to be able to login to the system by
other means or not), as the command directive in authorized_keys takes
precedence.
The tricky part is escaping the value correctly (there is shell escaping,
$ ipa user-mod user --sshpubkey='"command=""/usr/**bin/perl -e '\''$|=1;
print \""Tunnel created, use your webbrowser to connect to the
tool\n\"";while(1) { print localtime(time) . \""\n\""; sleep
60}'\''"",permitopen=""**localhost:8834"",no-agent-**forwarding,no-X11-forwarding
ssh-rsa ..."'
Honza
Post by Peter Brown
Hi Albert,
Have you tried putting that command in the public key for the user in
freeipa and setting the user shell to /sbin/nologin or the equivalent?
In our environment we have several systems where users require
access to the system to setup an SSH tunnel but should not have a
shell on the system. Prior to rolling out IPA we accomplished this
command="/usr/bin/perl -e '$|=1; print \"Tunnel created, use your
webbrowser to connect to the tool\n\";while(1) { print
localtime(time) . \"\n\"; sleep
60}'",permitopen="localhost:**8834",no-agent-forwarding,no-**
X11-forwarding
Is there a way to accomplish this in IPA?
Regards,
Albert
______________________________**_________________
Freeipa-users mailing list
https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
______________________________**_________________
Freeipa-users mailing list
https://www.redhat.com/**mailman/listinfo/freeipa-users<https://www.redhat.com/mailman/listinfo/freeipa-users>
--
Jan Cholasta
Simo Sorce
2012-12-17 14:36:11 UTC
Permalink
Post by Albert Adams
Thank you for the responses. I was initially attempting to set this
value via the web UI and if I entered anything other than the hash
value of the user's public key it would get rejected. After thinking
about your response I realize that I really need to determine a method
of doing this via a HBAC rule. If I accomplish this with
authorized_keys then the user is restricted across the board and would
not be able to gain a shell on any system whereas HBAC would allow me
to restrict thier access as needed. We currently require users to
tunnel over SSH to gain access to certain sensitive web apps (like
Nessus) but those same users have shell access on a few boxes.
Thoughts??
One thing you could do is to use the override_shell parameter in sssd.
However this one would override the shell for all users so just
putting /sbin/nologin there would not work if you need some users to be
able to log in (if you care only for root logins it would be enough).

However you can still manage to use it to point to a script that would
test something like whether the user belongs to a group or not, and if
so run either /bin/bash or /bin/nologin

This seem like a nice feature request for FreeIPA though, maybe we can
extend HBAC to allow a special option to define a shell, maybe creating
a special 'shell' service that sssd can properly interpret as a hint to
set nologin vs the actual shell.

Dmitri, should we open a RFE on this ?


Simo.
--
Simo Sorce * Red Hat, Inc * New York
Albert Adams
2012-12-17 15:30:21 UTC
Permalink
An HBAC extension would certainly be appreciated. I'm not sure how other
organizations are setup but in our environment we don't give shell access
unless absolutely necessary and we use a lot of SSH tunneling with target
services bound to localhost. If I can figure out the correct syntax to get
the perl command added to the users public key in IPA (as Honza suggested)
then that will provide a work around for the time being. Ultimately it
would be awesome to have the same level of granularity that the local
authorized_keys file allowed while reaping the benefits of centralized
management.

Albert
Post by Simo Sorce
Post by Albert Adams
Thank you for the responses. I was initially attempting to set this
value via the web UI and if I entered anything other than the hash
value of the user's public key it would get rejected. After thinking
about your response I realize that I really need to determine a method
of doing this via a HBAC rule. If I accomplish this with
authorized_keys then the user is restricted across the board and would
not be able to gain a shell on any system whereas HBAC would allow me
to restrict thier access as needed. We currently require users to
tunnel over SSH to gain access to certain sensitive web apps (like
Nessus) but those same users have shell access on a few boxes.
Thoughts??
One thing you could do is to use the override_shell parameter in sssd.
However this one would override the shell for all users so just
putting /sbin/nologin there would not work if you need some users to be
able to log in (if you care only for root logins it would be enough).
However you can still manage to use it to point to a script that would
test something like whether the user belongs to a group or not, and if
so run either /bin/bash or /bin/nologin
This seem like a nice feature request for FreeIPA though, maybe we can
extend HBAC to allow a special option to define a shell, maybe creating
a special 'shell' service that sssd can properly interpret as a hint to
set nologin vs the actual shell.
Dmitri, should we open a RFE on this ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
Jan Cholasta
2012-12-18 08:38:09 UTC
Permalink
Actually, I wanted to make something like this in SSH user
impersonation, <https://fedorahosted.org/freeipa/ticket/2356>. My idea
was to allow overriding of authorized_keys options in impersonation rules.

In your case, you could have a special user account "tunnel" that would
be used to access the tunnel and set up impersonation so that members of
group "tunnelusers" could impersonate user "tunnel" with authorized_keys
options command, permitopen, no-agent-forwarding and no-x11-forwarding
overrided. That way, any user in the "tunnelusers" group would be able
to log in with their normal public keys (with no authorized_keys
options) as user "tunnel" and have authorized_keys options set to the
needed values by the impersonation rule.

Of course, that would work only with SSH public key authentication.

BTW, if the tunnel is provided only by a single or a small number of
systems, you can configure sshd on these systems to do what you want
without using authorized_keys options (see man sshd_config, directives
ForceCommand, PermitOpen, AllowAgentForwarding, X11Forwarding and
possibly Match).

Honza
Post by Albert Adams
An HBAC extension would certainly be appreciated. I'm not sure how
other organizations are setup but in our environment we don't give shell
access unless absolutely necessary and we use a lot of SSH tunneling
with target services bound to localhost. If I can figure out the
correct syntax to get the perl command added to the users public key in
IPA (as Honza suggested) then that will provide a work around for the
time being. Ultimately it would be awesome to have the same level of
granularity that the local authorized_keys file allowed while reaping
the benefits of centralized management.
Albert
Post by Albert Adams
Thank you for the responses. I was initially attempting to set this
value via the web UI and if I entered anything other than the hash
value of the user's public key it would get rejected. After thinking
about your response I realize that I really need to determine a
method
Post by Albert Adams
of doing this via a HBAC rule. If I accomplish this with
authorized_keys then the user is restricted across the board and
would
Post by Albert Adams
not be able to gain a shell on any system whereas HBAC would allow me
to restrict thier access as needed. We currently require users to
tunnel over SSH to gain access to certain sensitive web apps (like
Nessus) but those same users have shell access on a few boxes.
Thoughts??
One thing you could do is to use the override_shell parameter in sssd.
However this one would override the shell for all users so just
putting /sbin/nologin there would not work if you need some users to be
able to log in (if you care only for root logins it would be enough).
However you can still manage to use it to point to a script that would
test something like whether the user belongs to a group or not, and if
so run either /bin/bash or /bin/nologin
This seem like a nice feature request for FreeIPA though, maybe we can
extend HBAC to allow a special option to define a shell, maybe creating
a special 'shell' service that sssd can properly interpret as a hint to
set nologin vs the actual shell.
Dmitri, should we open a RFE on this ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Jan Cholasta
Dmitri Pal
2012-12-17 21:29:00 UTC
Permalink
Post by Simo Sorce
Post by Albert Adams
Thank you for the responses. I was initially attempting to set this
value via the web UI and if I entered anything other than the hash
value of the user's public key it would get rejected. After thinking
about your response I realize that I really need to determine a method
of doing this via a HBAC rule. If I accomplish this with
authorized_keys then the user is restricted across the board and would
not be able to gain a shell on any system whereas HBAC would allow me
to restrict thier access as needed. We currently require users to
tunnel over SSH to gain access to certain sensitive web apps (like
Nessus) but those same users have shell access on a few boxes.
Thoughts??
One thing you could do is to use the override_shell parameter in sssd.
However this one would override the shell for all users so just
putting /sbin/nologin there would not work if you need some users to be
able to log in (if you care only for root logins it would be enough).
However you can still manage to use it to point to a script that would
test something like whether the user belongs to a group or not, and if
so run either /bin/bash or /bin/nologin
This seem like a nice feature request for FreeIPA though, maybe we can
extend HBAC to allow a special option to define a shell, maybe creating
a special 'shell' service that sssd can properly interpret as a hint to
set nologin vs the actual shell.
Dmitri, should we open a RFE on this ?
Simo.
OK , RFE would make sense.
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Loading...