Autentisering via LDAP och Kerberos i FreeBSD 10: Difference between revisions

From Peters wiki
Jump to navigation Jump to search
← Older edit
mNo edit summary
mNo edit summary
 
(49 intermediate revisions by the same user not shown)
Line 1: Line 1:
Denna guide är under utveckling.
__NOTOC__
Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i FreeBSD 10. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com.
__TOC__


== Installera SSSD ==


Installera följande:
Installera följande:
{{RootCmd|portmaster security/cyrus-sasl2-gssapi}}
Välj Heimdal från systemetet, dvs BASE.
{{RootCmd|portmaster net/openldap24-sasl-client}}
Välj GSSAPI. Slutligen installera SSSD:
{{RootCmd|portmaster security/sssd}}


{{RootCmd|portmaster security/pam_krb5}}
== Kerberos ==
Välj att länka mot Heimdal Kerberos.


Editera /etc/krb5.conf:
Editera /etc/krb5.conf:
Line 14: Line 21:
[realms]
[realms]
     EXAMPLE.COM = {
     EXAMPLE.COM = {
         kdc = kdc.example.com
         kdc = ns.example.com
admin_server = kdc.example.com
        admin_server = ns.example.com
default_domain = example.com
        default_domain = example.com
     }
     }


Line 24: Line 31:
}}
}}


Skapa och kopiera en /etc/krb5.keytab fil.
Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals:
{{RootCmd|/usr/local/bin/kadmin -p kadmin/admin}}
Kör kadmin kommandot:
{{bc|kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM}}
Spara sen nycklarna i filen /etc/krb5.keytab:
{{bc|kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM}}
Logga ut från kadmin.
 
=== PAM ===
 
Editera /etc/pam.d/system:
{{bc|1=
# auth
auth            sufficient      pam_opie.so no_warn no_fake_prompts
auth            requisite      pam_opieaccess.so no_warn allow_local
'''auth            sufficient      /usr/local/lib/pam_sss.so forward_pass'''
#auth          sufficient      pam_krb5.so no_warn try_first_pass
#auth          sufficient      pam_ssh.so no_warn try_first_pass
auth            required        pam_unix.so no_warn try_first_pass nullok
 
# account
'''account        required        /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail'''
#account        required        pam_krb5.so
account        required        pam_login_access.so
account        required        pam_unix.so
 
# session
#session        optional        pam_ssh.so want_agent
session        required        pam_lastlog.so no_fail
 
# password
'''password        sufficient      /usr/local/lib/pam_sss.so use_authtok'''
#password      sufficient      pam_krb5.so no_warn try_first_pass
password        required        pam_unix.so no_warn try_first_pass
}}
 
Editera /etc/pam.d/sshd:
{{bc|1=
# auth
auth            sufficient pam_opie.so no_warn no_fake_prompts
auth            requisite pam_opieaccess.so no_warn allow_local
'''auth            sufficient      /usr/local/lib/pam_sss.so forward_pass'''
#auth          sufficient pam_krb5.so no_warn try_first_pass
auth            sufficient pam_ssh.so no_warn try_first_pass
auth            required pam_unix.so no_warn try_first_pass
 
# account
account        required pam_nologin.so
'''account        required        /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail'''
#account        required pam_krb5.so
account        required pam_login_access.so
account        required pam_unix.so
 
# session
#session        optional pam_ssh.so want_agent
session        required pam_permit.so
 
# password
'''password        sufficient      /usr/local/lib/pam_sss.so use_authtok'''
#password      sufficient pam_krb5.so no_warn try_first_pass
password        required pam_unix.so no_warn try_first_pass
}}
 
== NSS ==
 
Editera /etc/nsswitch.conf:
{{bc|
group: files sss
passwd: files sss
}}
 
Radera länken /etc/ssl/cert.pem och ersätt med ditt egna CA certifikat.


Editera följande /etc/pam.d filer och rader:
=== SSSD ===
 
Editera /usr/local/etc/sssd/sssd.conf:
{{bc|1=
{{bc|1=
ftp:auth sufficient /usr/local/lib/security/pam_krb5.so minimum_uid=5000
[sssd]
ftp:account required /usr/local/lib/security/pam_krb5.so minimum_uid=5000
config_file_version = 2
ftpd:auth sufficient /usr/local/lib/security/pam_krb5.so minimum_uid=5000
services = nss, pam
ftpd:account required /usr/local/lib/security/pam_krb5.so minimum_uid=5000
domains = LOCAL, EXAMPLE.COM
other:auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000
 
other:account required /usr/local/lib/security/pam_krb5.so minimum_uid=5000
[nss]
sshd:auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000
filter_groups = root
sshd:account required /usr/local/lib/security/pam_krb5.so minimum_uid=5000
filter_users = root
sshd:password         sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000
reconnection_retries = 3
system:auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000
entry_cache_timeout = 300
system:account required /usr/local/lib/security/pam_krb5.so minimum_uid=5000
entry_cache_nowait_percentage = 75
system:password         sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000
#override_shell = /usr/local/bin/bash
#override_homedir = /usr/home/%u
 
[pam]
reconnection_retries = 3
 
[domain/LOCAL]
id_provider = local
auth_provider = local
access_provider = permit
 
[domain/EXAMPLE.COM]
debug_level = 0
min_id = 5000
cache_credentials = true
 
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = simple
sudo_provider = none
 
ldap_uri = ldap://ns.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/cert.pem
 
krb5_realm = EXAMPLE.COM
krb5_server = ns.example.com
krb5_kpasswd = ns.example.com
}}
}}


{{RootCmd|portmaster net/nss-pam-ldapd-sasl}}
Skydda filen:
Välj bort pam_ldap stödet.
{{RootCmd|chmod 600 /usr/local/etc/sssd/sssd.conf}}
Välj GSSAPI för open-sasl-client.


{{RootCmd|portmaster security/cyrus-sasl2-gssapi}}
Editera /etc/rc.conf:
Välj Use Heimdal in base.
{{bc|1=
sssd_enable="YES"
}}
 
Starta sssd:
{{RootCmd|service sssd start
}}
 
Verifiera med kommandona:
{{RootCmd|getent passwd <username>
|getent group <groupname>
}}
 
== SSH ==
För att kunna logga in med Kerberos ticket, editera filen /etc/ssh/sshd_config och ändra följande rad till:
{{bc|GSSAPIAuthentication yes}}
Starta om sshd med kommandot:
{{RootCmd|service sshd restart}}


[[Category:Guide]]
[[Category:GammalGuide]]

Latest revision as of 19:46, 12 August 2023

Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i FreeBSD 10. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com.

Installera SSSD

Installera följande:

root # portmaster security/cyrus-sasl2-gssapi

Välj Heimdal från systemetet, dvs BASE.

root # portmaster net/openldap24-sasl-client

Välj GSSAPI. Slutligen installera SSSD:

root # portmaster security/sssd

Kerberos

Editera /etc/krb5.conf: 

[libdefaults]
    default_realm = EXAMPLE.COM

[realms]
    EXAMPLE.COM = {
        kdc = ns.example.com
        admin_server = ns.example.com
        default_domain = example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals:

root # /usr/local/bin/kadmin -p kadmin/admin

Kör kadmin kommandot: 

kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM

Spara sen nycklarna i filen /etc/krb5.keytab: 

kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM

Logga ut från kadmin.

PAM

Editera /etc/pam.d/system: 

# auth
auth            sufficient      pam_opie.so		no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so	no_warn allow_local
auth            sufficient      /usr/local/lib/pam_sss.so forward_pass
#auth           sufficient      pam_krb5.so		no_warn try_first_pass
#auth           sufficient      pam_ssh.so		no_warn try_first_pass
auth            required        pam_unix.so		no_warn try_first_pass nullok

# account
account         required        /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so		want_agent
session         required        pam_lastlog.so		no_fail

# password
password        sufficient      /usr/local/lib/pam_sss.so use_authtok
#password       sufficient      pam_krb5.so		no_warn try_first_pass
password        required        pam_unix.so		no_warn try_first_pass

Editera /etc/pam.d/sshd: 

# auth
auth            sufficient	pam_opie.so		no_warn no_fake_prompts
auth            requisite	pam_opieaccess.so	no_warn allow_local
auth            sufficient      /usr/local/lib/pam_sss.so forward_pass
#auth           sufficient	pam_krb5.so		no_warn try_first_pass
auth            sufficient	pam_ssh.so		no_warn try_first_pass
auth            required	pam_unix.so		no_warn try_first_pass

# account
account         required	pam_nologin.so
account         required        /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
#account        required	pam_krb5.so
account         required	pam_login_access.so
account         required	pam_unix.so

# session
#session        optional	pam_ssh.so		want_agent
session         required	pam_permit.so

# password
password        sufficient      /usr/local/lib/pam_sss.so use_authtok
#password       sufficient	pam_krb5.so		no_warn try_first_pass
password        required	pam_unix.so		no_warn try_first_pass

NSS

Editera /etc/nsswitch.conf: 

group: files sss
passwd: files sss

Radera länken /etc/ssl/cert.pem och ersätt med ditt egna CA certifikat.

SSSD

Editera /usr/local/etc/sssd/sssd.conf: 

[sssd]
config_file_version = 2
services = nss, pam
domains = LOCAL, EXAMPLE.COM

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
#override_shell = /usr/local/bin/bash
#override_homedir = /usr/home/%u

[pam]
reconnection_retries = 3

[domain/LOCAL]
id_provider = local
auth_provider = local
access_provider = permit

[domain/EXAMPLE.COM]
debug_level = 0
min_id = 5000
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = simple
sudo_provider = none

ldap_uri = ldap://ns.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/cert.pem

krb5_realm = EXAMPLE.COM
krb5_server = ns.example.com
krb5_kpasswd = ns.example.com

Skydda filen:

root # chmod 600 /usr/local/etc/sssd/sssd.conf

Editera /etc/rc.conf: 

sssd_enable="YES"

Starta sssd:

root # service sssd start

Verifiera med kommandona:

root # getent passwd <username>
root # getent group <groupname>

SSH

För att kunna logga in med Kerberos ticket, editera filen /etc/ssh/sshd_config och ändra följande rad till: 

GSSAPIAuthentication yes

Starta om sshd med kommandot:

root # service sshd restart
Retrieved from "http://www.kerwien.se/index.php?title=Autentisering_via_LDAP_och_Kerberos_i_FreeBSD_10&oldid=3387"