Configure Host-Based Access Control on FreeIPA Server

|
Last Updated:
|
|

Follow through this guide to learn how to configure Host-based access control on FreeIPA server. If you are using FreeIPA to manage authentication, you might have realized that by default, any user can login to any host system that is connected or joined to the FreeIPA server. This is because, FreeIPA IdM is configured with a default HBAC rule named allow_all, which allows universal access to every host for every user via every relevant service in the entire IdM domain. This poses a security risk. It is therefore prudent to restrict user access to specific host systems.

Configuring Host-Based Access Control on FreeIPA Server

Install and Setup FreeIPA server

Ensure you have a running FreeIPA server. If you haven’t set it up and you need help on how to, check our guide below.

Install and Setup FreeIPA server

Add User Accounts to FreeIPA Server

Next, you need to have user accounts created on the FreeIPA server.

Add FreeIPA User Accounts via CLI or Web Interface

Install and Configure FreeIPA Client on Ubuntu

To enroll your Linux host into FreeIPA, see our example guide below;

Install and Configure FreeIPA Client on Ubuntu 24.04

Configuring Host-Based Access Control

Now that you have FreeIPA server up and running, with user accounts already added, it is now time to restrict users to specific systems based on their hostnames.

You can configure FreeIPA host-based access control via web user interface or via the command line.

Configure Host-Based Access Control via FreeIPA WebUI

Login to FreeIPA web dashboard as IPA admin and navigate to Policy > Host Based Access Control. Click drop-down button and select HBAC Rules (selected by default).

policy hbac rules

You will see default HBAC rules. Click Add on the right side to add the rules. Add HBAC rules wizard pops up.

Enter the name of the rule and click “Add and Edit“. Note that I am interested in allowing users to access ONLY their work stations and not any other user’s workstation, for example.

It is also possible ti create access based on groups and their roles!

Thus:

  • under General settings, you can optionally set a description of the access control.
  • specify Who the rules applies to. Click Add to select and add the user.
  • under Accessing, select and add hosts the user is allowed to access
  • on Via Service, select which service to allow the user on the host. FreeIPA server ships with some common services and service groups configured for HBAC rules by default. Check them under Policy > Host-Based Access Control>HBAC Services. Here, am only interested in login service.
hbac rules per user

Click Save (just above the General settings) to save the rules.

Testing HBAC Rules on Web UI

You can now test the rules against the host to confirm if they work. Ensure that you have enrolled the host (installed the FreeIPA client and connected the client host to the server already).

Under Policy > Host-Based Access Control, click HBAC Test and:

  1. Who: Select the user whom you want to test
  2. Accessing: Select the system to test access against
  3. Via Service: Select specific service to test. We are doing login here.
  4. Rules: Select the individual user rule we created before.
  5. Run test: Click Run test to confirm the user login against the host.
hbac rules run test

The results of a test can either be:

  • ACCESS GRANTED, the user is able to access the host successfully.
  • ACCESS DENIED, the user is not granted access in the test.

You can do more access controls based on your use cases!

Disable Allow_All Rule

You can now disable allow_all rule.

Select the rule from HBAC Rules and disable it.

Configure Host-Based Access Control via CLI

Similarly, you can also use IPA command line tools to configure host based access control.

There is quite a number of IPA command line arguments that you can use to manage HBAC on FreeIPA.

hbacrule-add             hbacrule-add-user        hbacrule-enable          hbacrule-remove-host     hbacrule-show
hbacrule-add-host        hbacrule-del             hbacrule-find            hbacrule-remove-service  
hbacrule-add-service     hbacrule-disable         hbacrule-mod             hbacrule-remove-user

You can list all the rules using;

ipa hbacrule-find --all

To add HBAC rule, use the command, ipa hbacrule-add.

ipa hbacrule-add

You will be prompted for rule name ;

Rule name: bparker
-------------------------
Added HBAC rule "bparker"
-------------------------
  Rule name: bparker
  Enabled: True

Next, apply the rule to the user;

ipa hbacrule-add-user --users=bparker

Where bparker is my user.

Rule name: bparker
  Rule name: bparker
  Enabled: True
  Users: bparker
-------------------------
Number of members added 1
-------------------------

Next define the hosts as well as the service to grant user access to:

ipa hbacrule-add-host bparker --hosts=node02.kifarunix.com
  Rule name: bparker
  Enabled: True
  Users: bparker
  Hosts: node02.kifarunix.com
-------------------------
Number of members added 1
-------------------------
ipa hbacrule-add-service bparker --hbacsvcs=login
  Rule name: bparker
  Enabled: True
  Users: bparker
  Hosts: node02.kifarunix.com
  HBAC Services: login
-------------------------
Number of members added 1
-------------------------

And that is it.

Confirm availability of the rule;

ipa hbacrule-find
--------------------
4 HBAC rules matched
--------------------
  Rule name: allow_all
  User category: all
  Host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: True

  Rule name: allow_systemd-user
  User category: all
  Host category: all
  Description: Allow pam_systemd to run [email protected] to create a system user session
  Enabled: True

  Rule name: bcooper
  Description: Allow Cooper to Login to their Machine Only
  Enabled: True

  Rule name: bparker
  Enabled: True
----------------------------
Number of entries returned 4
----------------------------

Check details;

ipa hbacrule-show bparker
  Rule name: bparker
  Enabled: True
  Users: bparker
  Hosts: node02.kifarunix.com
  HBAC Services: login

Test the HBAC Rule on Command Line

You can now use the command, ipa hbactest, to test the access granted to the user on the respective host.

ipa hbactest --user=<user> --host=<host> --service=<service> --rules=<rule-name>

E.g

ipa hbactest --user=bparker --host=node02.kifarunix.com --service=login --rules=bparker

If success, you get Access granted: True otherwise False.

--------------------
Access granted: True
--------------------
  Matched rules: bparker

Disable Allow_all Rule on CLI

You can disable allow all rule on CLI;

ipa hbacrule-disable allow_all

Verify Host Based Authentication

You can now try to login to the respective systems using respective user accounts.

For example, let’s SSH into Node02 as Bparker;

ssh [email protected]

if success, you are prompted to first reset the password (if first login);

ssh [email protected]
([email protected]) Password: 
Password expired. Change your password now.
([email protected]) Current Password: 
([email protected]) New password: 
([email protected]) Retype new password: 
Creating directory '/home/bparker'.
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.8.0-31-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat May  4 01:52:35 PM UTC 2024

  System load:  0.04               Processes:               154
  Usage of /:   45.4% of 11.21GB   Users logged in:         1
  Memory usage: 8%                 IPv4 address for enp1s0: 192.168.122.81
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

$ hostname 	
node02
$

If you try to login as another user or to a system whose access is not granted, then, it will fail. Such example logs for SSH.

2024-05-04T16:57:32.396021+03:00 noble sshd[12352]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1  user=bparker
2024-05-04T16:57:32.456847+03:00 noble sshd[12352]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1 user=bparker
2024-05-04T16:57:32.479841+03:00 noble sshd[12352]: pam_sss(sshd:account): Access denied for user bparker: 6 (Permission denied)
2024-05-04T16:57:32.480226+03:00 noble sshd[12349]: error: PAM: User account has expired for bparker from 192.168.122.1
2024-05-04T16:57:32.491282+03:00 noble sshd[12349]: fatal: monitor_read: unpermitted request 104

And that is it. You can fine grain your rules to suit your needs.

That concludes our guide on how to setup host based access control on FreeIPA.

If you are using OpenLDAP, check;

Configure OpenLDAP Host Based Authentication

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
Kifarunix
Linux Certified Engineer, with a passion for open-source technology and a strong understanding of Linux systems. With experience in system administration, troubleshooting, and automation, I am skilled in maintaining and optimizing Linux infrastructure.

Leave a Comment