#176 Use dedicated ipsilon PAM service
Closed: Fixed None Opened 4 years ago by dkelson.

Currently ipsilon-server-install --pam-service and --form-service default to "remote", which is a PAM service used by other stuff on Linux. Instead it should default to "ipsilon".

This is especially important when using HBAC with freeIPA with allow_all disabled (as everyone should do). In such as configuration, here is the freeIPA ipsilon HBAC configuration:

ipa hbacrule-add --usercat=all --hostcat=idp.example.com --servicecat=ipsilon --desc="All users can use ipsilon IdP"
ipa hbacsvc-add ipsilon --desc="ipsilon IdP"
ipa hbacrule-add-service allow_ipsilon --hbacsvcs=ipsilon
ipa hbacrule-add-host allow_ipsilon --hosts=idp.example.com


A pam service ipsilon also needs to be created/provided on the IdP to provide the ipsilon service. This should match the contents of the pam remote service.

Fields changed

milestone: => 1.2

What package does provide that --pam-service option? I use ipsilon-1.0.0-11.el7.noarch, I have pretty much everything ipsilon-related installed, but

ipsilon-server-install --help | grep pam

does not list it.

As a matter of fact, when I use

--form yes --gssapi yes

the /etc/ipsilon/idp/idp.conf gets configured with

InterceptFormPAMService remote

but with

AuthType GSSAPI
Require valid-user

So it looks like, --gssapi should be changed to start using mod_authnz_pam's

require pam-account remote

first.

Should I file new ticket for that?

Replying to [comment:3 adelton]:

What package does provide that --pam-service option? I use ipsilon-1.0.0-11.el7.noarch, I have pretty much everything ipsilon-related installed, but

ipsilon-server-install --help | grep pam

It is provided by the package ipsilon-authpam

As a matter of fact, when I use

--form yes --gssapi yes

the /etc/ipsilon/idp/idp.conf gets configured with

InterceptFormPAMService remote

but with

AuthType GSSAPI
Require valid-user

So it looks like, --gssapi should be changed to start using mod_authnz_pam's

require pam-account remote

first.

Should I file new ticket for that?

I think both cases can be covered by this ticket.

I suggest we don't worry about upgrade cases and just focus on new installs for this feature.

Fields changed

owner: => jdennis
status: new => assigned

Fields changed

patch_available: 0 => 1

This has been merged with 174823c

resolution: => fixed
status: assigned => closed

Metadata Update from @puiterwijk:
- Issue assigned to jdennis
- Issue set to the milestone: 1.2

2 years ago

Login to comment on this ticket.

Metadata