login about faq

Folks,

Is there a way to add an exception for an authentication rule? I am running 6.4.12.353 on a Sun10 box. I have a rule that matches user's group for external accesses:

<group name = "EXTERNAL">
        <selector>
            <user-group name = "client"/>
        </selector>
</group>
        <rule group = "EXTERNAL" idle-timeout = "600">
        <environment allowed-case-sensitive = "TERM,PATH,TZ,LANG,LC_*"/>
        <terminal action = "deny"/>
        <subsystem
            type = "sftp"
            action = "allow"
            application = "sft-server-g3"
            chroot = "%homedir%"/>
        <command action = "deny"/>
        <tunnel-local action = "deny"/>
        <tunnel-remote action = "deny"/>
    </rule>

This is working fine, the rule denies terminal and send connections to SFT-SERVER; however I want a specific user (appadmin) that is member of 'client' group to be allowed to terminal, so I added to top of the rules:

    <group name = "CLIENTTERM">
        <selector>
            <user name = "appadmin"/>
        </selector>
    </group>
    <rule group = "CLIENTTERM" idle-timeout = "600">
        <terminal action = "allow"/>
        <command action = "deny"/>
    </rule>

but this is not working, I see the rule selected for above and then, user is denied by policy:

Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 801 Authentication_block_selected, Username: appadmin, Policy name: authentication, Session-Id: 9693, "file: /etc/ssh2/ssh-server-config.xml, line: 101"
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 703 Auth_methods_available, Username: appadmin, Auth methods: password,publickey,keyboard-interactive, Session-Id: 9693
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 701 Auth_method_failure, Username: appadmin, Auth method: publickey, Session-Id: 9693
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 703 Auth_methods_available, Username: appadmin, Auth methods: password,publickey,keyboard-interactive, Session-Id: 9693
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 700 Auth_method_success, Username: appadmin, Auth method: publickey, Session-Id: 9693
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 802 Authentication_block_allow, Username: appadmin, Policy name: authentication, Session-Id: 9693, "file: /etc/ssh2/ssh-server-config.xml, line: 101"
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 702 Auth_methods_completed, Username: appadmin, Auth methods: publickey, Src IP: 10.229.69.1, Src Port: 59468, Ver: SSH-2.0-Sun_SSH_1.1.6, Session-Id: 9693
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 804 Group_selected, Username: appadmin, Policy name: CLIENTTERM, Session-Id: 9693
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 805 Rule_selected, Username: appadmin, Policy name: CLIENTTERM, Session-Id: 9693, "file: /etc/ssh2/ssh-server-config.xml, line: 129"
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 410 Login_success, Username: appadmin, Src IP: 10.229.69.1, Dst IFace: default, Dst IP: 10.229.69.2, Src Port: 59468, Dst Port: 22, Ver: SSH-2.0-Sun_SSH_1.1.6, Session-Id: 9693
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 420 Session_channel_open, Username: appadmin, Error: Denied by policy, Command: hostname, Sub ID: 0, Session-Id: 9693
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 421 Session_channel_close, Username: appadmin, Sub ID: 0, Session-Id: 9693
Jun 28 10:14:45 ssh-server-g3: [ID 702911 daemon.notice] 412 Logout, Username: appadmin, Reason: Connection lost, Src IP: 10.229.69.1, Dst IFace: default, Dst IP: 10.229.69.2, Src Port: 59468, Dst Port: 22, "Connection lost, Local Disconnect", Session-Id: 9693

How can I accomplish it? Appreciated.

asked Jun 28 '16 at 18:27

fmattos's gravatar image

fmattos
21448


I've found the fix. As selector rules are AND, just had to tune it a lil' more by adding other matching criterion for the user I want to have terminal access.

link

answered Jul 06 '16 at 23:44

fmattos's gravatar image

fmattos
21448

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×38
×3
×2
×1

Asked: Jun 28 '16 at 18:27

Seen: 2,632 times

Last updated: Jul 06 '16 at 23:44

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.