{"id":22418,"date":"2024-05-04T17:03:59","date_gmt":"2024-05-04T14:03:59","guid":{"rendered":"https:\/\/kifarunix.com\/?p=22418"},"modified":"2024-05-04T20:43:51","modified_gmt":"2024-05-04T17:43:51","slug":"configure-host-based-access-control-on-freeipa-server","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-host-based-access-control-on-freeipa-server\/","title":{"rendered":"Configure Host-Based Access Control on FreeIPA Server"},"content":{"rendered":"\n<p>Follow through this guide to learn how to configure Host-based access control on FreeIPA server. If you are using FreeIPA to manage authentication, you might have realized that by default, any user can login to any host system that is connected or joined to the FreeIPA server. This is because, FreeIPA <em>IdM is configured with a default HBAC rule named\u00a0<code>allow_all<\/code>, which allows universal access to every host for every user via every relevant service in the entire IdM domain.<\/em> This poses a security risk. It is therefore prudent to restrict user access to specific host systems.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#configuring-host-based-access-control-on-free-ipa-server\">Configuring Host-Based Access Control on FreeIPA Server<\/a><ul><li><a href=\"#install-and-setup-free-ipa-server\">Install and Setup FreeIPA server<\/a><\/li><li><a href=\"#add-user-accounts-to-free-ipa-server\">Add User Accounts to FreeIPA Server<\/a><\/li><li><a href=\"#install-and-configure-free-ipa-client-on-ubuntu\">Install and Configure FreeIPA Client on Ubuntu<\/a><\/li><li><a href=\"#configuring-host-based-access-control\">Configuring Host-Based Access Control<\/a><ul><li><a href=\"#configure-host-based-access-control-via-free-ipa-web-ui\">Configure Host-Based Access Control via FreeIPA WebUI<\/a><\/li><li><a href=\"#testing-hbac-rules-on-web-ui\">Testing HBAC Rules on Web UI<\/a><\/li><li><a href=\"#disable-allow-all-rule\">Disable Allow_All Rule<\/a><\/li><li><a href=\"#configure-host-based-access-control-via-cli\">Configure Host-Based Access Control via CLI<\/a><\/li><li><a href=\"#test-the-hbac-rule-on-command-line\">Test the HBAC Rule on Command Line<\/a><\/li><li><a href=\"#disable-allow-all-rule-on-cli\">Disable Allow_all Rule on CLI<\/a><\/li><\/ul><\/li><li><a href=\"#verify-host-based-authentication\">Verify Host Based Authentication<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuring-host-based-access-control-on-free-ipa-server\">Configuring Host-Based Access Control on FreeIPA Server<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-and-setup-free-ipa-server\">Install and Setup FreeIPA server<\/h3>\n\n\n\n<p>Ensure you have a running FreeIPA server. If you haven&#8217;t set it up and you need help on how to, check our guide below.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/?s=install+freeipa+server\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup FreeIPA server<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"add-user-accounts-to-free-ipa-server\">Add User Accounts to FreeIPA Server<\/h3>\n\n\n\n<p>Next, you need to have user accounts created on the FreeIPA server.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/add-freeipa-user-accounts-via-cli-or-web-interface\/\" target=\"_blank\" rel=\"noreferrer noopener\">Add FreeIPA User Accounts via CLI or Web Interface<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-and-configure-free-ipa-client-on-ubuntu\">Install and Configure FreeIPA Client on Ubuntu<\/h3>\n\n\n\n<p>To enroll your Linux host into FreeIPA, see our example guide below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-configure-freeipa-client-on-ubuntu-24-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Configure FreeIPA Client on Ubuntu 24.04<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-host-based-access-control\">Configuring Host-Based Access Control<\/h3>\n\n\n\n<p>Now that you have FreeIPA server up and running, with user accounts already added, it is now time to restrict users to specific systems based on their hostnames.<\/p>\n\n\n\n<p>You can configure FreeIPA host-based access control via web user interface or via the command line.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-host-based-access-control-via-free-ipa-web-ui\">Configure Host-Based Access Control via FreeIPA WebUI<\/h4>\n\n\n\n<p>Login to FreeIPA web dashboard as IPA admin and navigate to <strong>Policy > Host Based Access Control<\/strong>. Click drop-down button and select <strong>HBAC Rules<\/strong> (selected by default).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1623\" height=\"392\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/policy-hbac-rules.png?v=1714827602\" alt=\"\" class=\"wp-image-22424\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/policy-hbac-rules.png?v=1714827602 1623w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/policy-hbac-rules-768x185.png?v=1714827602 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/policy-hbac-rules-1536x371.png?v=1714827602 1536w\" sizes=\"(max-width: 1623px) 100vw, 1623px\" \/><\/figure>\n\n\n\n<p>You will see default HBAC rules. Click <strong>Add<\/strong> on the right side to add the rules. <strong>Add HBAC rules<\/strong> wizard pops up. <\/p>\n\n\n\n<p>Enter the name of the rule and click &#8220;<strong>Add and Edit<\/strong>&#8220;. Note that I am interested in allowing users to access ONLY their work stations and not any other user&#8217;s workstation, for example.<\/p>\n\n\n\n<p>It is also possible ti create access based on groups and their roles!<\/p>\n\n\n\n<p>Thus:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>under <strong>General<\/strong> settings, you can optionally set a description of the access control.<\/li>\n\n\n\n<li>specify <strong>Who<\/strong> the rules applies to. Click <strong>Add<\/strong> to select and add the user.<\/li>\n\n\n\n<li>under <strong>Accessing<\/strong>, select and add hosts the user is allowed to access<\/li>\n\n\n\n<li>on Via Service, select which service to allow the user on the host. FreeIPA server ships with some common services and service groups configured for HBAC rules by default. Check them under <strong>Policy > <strong>Host-Based Access Control>HBAC Services<\/strong>.<\/strong> Here, am only interested in <strong>login<\/strong> service.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1900\" height=\"894\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/hbac-rules_per-user.png?v=1714827798\" alt=\"\" class=\"wp-image-22427\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/hbac-rules_per-user.png?v=1714827798 1900w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/hbac-rules_per-user-768x361.png?v=1714827798 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/hbac-rules_per-user-1536x723.png?v=1714827798 1536w\" sizes=\"(max-width: 1900px) 100vw, 1900px\" \/><\/figure>\n\n\n\n<p>Click <strong>Save<\/strong> (just above the General settings) to save the rules.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"testing-hbac-rules-on-web-ui\">Testing HBAC Rules on Web UI<\/h4>\n\n\n\n<p>You can now test the rules against the host to confirm if they work. Ensure that you have enrolled the host (installed the FreeIPA client and connected the client host to the server already).<\/p>\n\n\n\n<p>Under <strong>Policy > <strong>Host-Based Access Control<\/strong><\/strong>, click <strong>HBAC Test<\/strong> and:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Who<\/strong>: Select the user whom you want to test<\/li>\n\n\n\n<li><strong>Accessing<\/strong>: Select the system to test access against<\/li>\n\n\n\n<li><strong>Via Service<\/strong>: Select specific service to test. We are doing login here.<\/li>\n\n\n\n<li><strong>Rules<\/strong>: Select the individual user rule we created before.<\/li>\n\n\n\n<li><strong>Run test<\/strong>: Click <strong>Run test<\/strong> to confirm the user login against the host.<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1908\" height=\"476\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/hbac-rules-run-test.png?v=1714828403\" alt=\"\" class=\"wp-image-22430\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/hbac-rules-run-test.png?v=1714828403 1908w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/hbac-rules-run-test-768x192.png?v=1714828403 768w, https:\/\/kifarunix.com\/wp-content\/uploads\/2024\/05\/hbac-rules-run-test-1536x383.png?v=1714828403 1536w\" sizes=\"(max-width: 1908px) 100vw, 1908px\" \/><\/figure>\n\n\n\n<p>The results of a test can either be:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ACCESS GRANTED<\/strong>, the user is able to access the host successfully.<\/li>\n\n\n\n<li><strong>ACCESS DENIED<\/strong>, the user is not granted access in the test.<\/li>\n<\/ul>\n\n\n\n<p>You can do more access controls based on your use cases!<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"disable-allow-all-rule\">Disable Allow_All Rule<\/h4>\n\n\n\n<p>You can now disable allow_all rule.<\/p>\n\n\n\n<p>Select the rule from HBAC Rules and disable it.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-host-based-access-control-via-cli\">Configure Host-Based Access Control via CLI<\/h4>\n\n\n\n<p>Similarly, you can also use IPA command line tools to configure host based access control.<\/p>\n\n\n\n<p>There is quite a number of IPA command line arguments that you can use to manage HBAC on FreeIPA.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>hbacrule-add             hbacrule-add-user        hbacrule-enable          hbacrule-remove-host     hbacrule-show\nhbacrule-add-host        hbacrule-del             hbacrule-find            hbacrule-remove-service  \nhbacrule-add-service     hbacrule-disable         hbacrule-mod             hbacrule-remove-user\n<\/code><\/pre>\n\n\n\n<p>You can list all the rules using;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbacrule-find --all<\/code><\/pre>\n\n\n\n<p>To add HBAC rule, use the command, <strong>ipa hbacrule-add<\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbacrule-add<\/code><\/pre>\n\n\n\n<p>You will be prompted for rule name ;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Rule name: bparker\n-------------------------\nAdded HBAC rule \"bparker\"\n-------------------------\n  Rule name: bparker\n  Enabled: True\n<\/code><\/pre>\n\n\n\n<p>Next, apply the rule to the user;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbacrule-add-user --users=<strong>bparker<\/strong><\/code><\/pre>\n\n\n\n<p>Where <strong>bparker<\/strong> is my user. <\/p>\n\n\n\n<pre class=\"scroll-box\"><code>Rule name: bparker\n  Rule name: bparker\n  Enabled: True\n  Users: bparker\n-------------------------\nNumber of members added 1\n-------------------------\n<\/code><\/pre>\n\n\n\n<p>Next define the hosts as well as the service to grant user access to:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbacrule-add-host bparker --hosts=node02.kifarunix.com<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>  Rule name: bparker\n  Enabled: True\n  Users: bparker\n  Hosts: node02.kifarunix.com\n-------------------------\nNumber of members added 1\n-------------------------\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbacrule-add-service bparker --hbacsvcs=login<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>  Rule name: bparker\n  Enabled: True\n  Users: bparker\n  Hosts: node02.kifarunix.com\n  HBAC Services: login\n-------------------------\nNumber of members added 1\n-------------------------\n<\/code><\/pre>\n\n\n\n<p>And that is it.<\/p>\n\n\n\n<p>Confirm availability of the rule;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbacrule-find<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>--------------------\n4 HBAC rules matched\n--------------------\n  Rule name: allow_all\n  User category: all\n  Host category: all\n  Service category: all\n  Description: Allow all users to access any host from any host\n  Enabled: True\n\n  Rule name: allow_systemd-user\n  User category: all\n  Host category: all\n  Description: Allow pam_systemd to run user@.service to create a system user session\n  Enabled: True\n\n  Rule name: bcooper\n  Description: Allow Cooper to Login to their Machine Only\n  Enabled: True\n\n<strong>  Rule name: bparker\n  Enabled: True\n----------------------------\nNumber of entries returned 4\n----------------------------<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Check details;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbacrule-show bparker<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>  Rule name: bparker\n  Enabled: True\n  Users: bparker\n  Hosts: node02.kifarunix.com\n  HBAC Services: login\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"test-the-hbac-rule-on-command-line\">Test the HBAC Rule on Command Line<\/h4>\n\n\n\n<p>You can now use the command, <strong>ipa hbactest<\/strong>, to test the access granted to the user on the respective host.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbactest --user=&lt;user> --host=&lt;host> --service=&lt;service> --rules=&lt;rule-name><\/code><\/pre>\n\n\n\n<p>E.g<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbactest --user=bparker --host=node02.kifarunix.com --service=login --rules=bparker<\/code><\/pre>\n\n\n\n<p>If success, you get <strong>Access granted: True<\/strong> otherwise <strong>False.<\/strong><\/p>\n\n\n\n<pre class=\"scroll-box\"><code>--------------------\nAccess granted: True\n--------------------\n  Matched rules: bparker\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"disable-allow-all-rule-on-cli\">Disable Allow_all Rule on CLI<\/h4>\n\n\n\n<p>You can disable allow all rule on CLI;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ipa hbacrule-disable allow_all<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-host-based-authentication\">Verify Host Based Authentication<\/h3>\n\n\n\n<p>You can now try to login to the respective systems using respective user accounts.<\/p>\n\n\n\n<p>For example, let&#8217;s SSH into Node02 as Bparker;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh bparker@192.168.122.81<\/code><\/pre>\n\n\n\n<p>if success, you are prompted to first reset the password (if first login);<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>ssh bparker@192.168.122.81\n(bparker@192.168.122.81) Password: \nPassword expired. Change your password now.\n(bparker@192.168.122.81) Current Password: \n(bparker@192.168.122.81) New password: \n(bparker@192.168.122.81) Retype new password: \nCreating directory '\/home\/bparker'.\nWelcome to Ubuntu 24.04 LTS (GNU\/Linux 6.8.0-31-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/pro\n\n System information as of Sat May  4 01:52:35 PM UTC 2024\n\n  System load:  0.04               Processes:               154\n  Usage of \/:   45.4% of 11.21GB   Users logged in:         1\n  Memory usage: 8%                 IPv4 address for enp1s0: 192.168.122.81\n  Swap usage:   0%\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n   just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n   https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\nExpanded Security Maintenance for Applications is not enabled.\n\n0 updates can be applied immediately.\n\nEnable ESM Apps to receive additional future security updates.\nSee https:\/\/ubuntu.com\/esm or run: sudo pro status\n\n\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\n$ hostname \t\nnode02\n$\n<\/code><\/pre>\n\n\n\n<p>If you try to login as another user or to a system whose access is not granted, then, it will fail. Such example logs for SSH.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>2024-05-04T16:57:32.396021+03:00 noble sshd[12352]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1  user=bparker\n2024-05-04T16:57:32.456847+03:00 noble sshd[12352]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=bparker\n2024-05-04T16:57:32.479841+03:00 noble sshd[12352]: pam_sss(sshd:account): Access denied for user bparker: 6 (Permission denied)\n2024-05-04T16:57:32.480226+03:00 noble sshd[12349]: error: PAM: User account has expired for bparker from 192.168.122.1\n2024-05-04T16:57:32.491282+03:00 noble sshd[12349]: fatal: monitor_read: unpermitted request 104\n<\/code><\/pre>\n\n\n\n<p>And that is it. You can fine grain your rules to suit your needs.<\/p>\n\n\n\n<p>That concludes our guide on how to setup host based access control on FreeIPA.<\/p>\n\n\n\n<p>If you are using OpenLDAP, check;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-openldap-host-based-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure OpenLDAP Host Based Authentication<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Follow through this guide to learn how to configure Host-based access control on FreeIPA server. If you are using FreeIPA to manage authentication, you might<\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1152],"tags":[247,7478,7480,7479],"class_list":["post-22418","post","type-post","status-publish","format-standard","hentry","category-howtos","category-directory-server","category-freeipa","tag-freeipa","tag-freeipa-hbac-rules","tag-hbac","tag-host-based-authentication","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22418"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=22418"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22418\/revisions"}],"predecessor-version":[{"id":22434,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/22418\/revisions\/22434"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=22418"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=22418"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=22418"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}