14.2. Creating Host-Based Access Control Entries for Services and Service Groups

Any PAM service can be identified as to the host-based access control (HBAC) system in IPA. The service entries used in host-based access control are separate from adding a service to the IPA domain. Adding a service to the domain makes it a recognized resource which is available to other resources. Adding a domain resource to the host-based access control configuration allows administrators to exert defined control over what domain users and what domain clients can access that service.

Some common services are already configured as HBAC services, so they can be used in host-based access control rules. Additional services can be added, and services can be added into service groups for simpler management.

14.2.1. Adding HBAC Services

14.2.1.1. Adding HBAC Services in the Web UI

Click the Policy tab.
Click the Host-Based Access Control subtab, and then select the HBAC Services link.
Click the Add link at the top of the list of services.
Enter the service name and a description.
Click the Add button to save the new service.
If a service group already exists, then add the service to the desired group, as described in Section 14.2.2.1, “Adding Service Groups in the Web UI”.

14.2.1.2. Adding Services in the Command Line

The service is added to the access control system using the hbacsvc-add command, specifying the service by the name that PAM uses to evaluate the service.

For example, this adds the tftp service:

# ipa hbacsvc-add --desc="TFTP service" tftp
-------------------------
Added HBAC service "tftp"
-------------------------

If a service group already exists, then the service can be added to the group using the hbacsvcgroup-add-member command, as in Section 14.2.2.2, “Adding Service Groups in the Command Line”.

14.2.2. Adding Service Groups

Once the individual service is added, it can be added to the access control rule. However, if there a large number of services, then it can require frequent updates to the access control rules as services change. Identity Management also allows groups of services to added to access control rules. This makes it much easier to manage access control, because the members of the service group can be changed without having to edit the rule itself.

14.2.2.1. Adding Service Groups in the Web UI

Click the Policy tab.
Click the Host-Based Access Control subtab, and then select the HBAC Service Groups link.
Click the Add link at the top of the list of service groups.
Enter the service group name and a description.
Click the Add and Edit button to go immediately to the service configuration page.
At the top of the HBAC Services tab, click the Add link.
Click the checkbox by the names of the services to add, and click the right arrows button, >>, to move the command to the selection box.
Click the Enroll button to save the group membership.

14.2.2.2. Adding Service Groups in the Command Line

First create the service group entry, then create the service, and then add that service to the service group as a member. For example:

$ ipa hbacsvcgroup-add --desc="login services" login
--------------------------------
Added HBAC service group "login"
--------------------------------
  Service group name: login
  Description: login services


$ ipa hbacsvc-add --desc="SSHD service" sshd
-------------------------
Added HBAC service "sshd"
-------------------------

$ ipa hbacsvcgroup-add-member --hbacsvcs=sshd login
  Service group name: login
  Description: login services
-------------------------
Number of members added 1
-------------------------

NOTE

IPA defines two default service groups: SUDO for sudo services and FTP for services which provide FTP access.