Autentisering via LDAP och Kerberos i FreeBSD 10: Difference between revisions
Jump to navigation
Jump to search
mNo edit summary |
|||
| (33 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Denna guide | __NOTOC__ | ||
Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i FreeBSD 10. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com. | |||
__TOC__ | |||
== Installera SSSD == | |||
Installera följande: | |||
{{RootCmd|portmaster security/cyrus-sasl2-gssapi}} | |||
Välj Heimdal från systemetet, dvs BASE. | |||
{{RootCmd|portmaster net/openldap24-sasl-client}} | |||
Välj GSSAPI. Slutligen installera SSSD: | |||
{{RootCmd|portmaster security/sssd}} | |||
== Kerberos == | == Kerberos == | ||
Editera /etc/krb5.conf: | |||
{{bc|1= | {{bc|1= | ||
[libdefaults] | [libdefaults] | ||
| Line 14: | Line 21: | ||
[realms] | [realms] | ||
EXAMPLE.COM = { | EXAMPLE.COM = { | ||
kdc = | kdc = ns.example.com | ||
admin_server = ns.example.com | |||
default_domain = example.com | |||
} | } | ||
| Line 24: | Line 31: | ||
}} | }} | ||
Skapa en Kerberos | Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals: | ||
{{RootCmd|/usr/local/bin/kadmin -p kadmin/admin}} | |||
Kör kadmin kommandot: | |||
{{bc|kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM}} | |||
Spara sen nycklarna i filen /etc/krb5.keytab: | |||
{{bc|kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM}} | |||
Logga ut från kadmin. | |||
Editera /etc/pam.d/ | === PAM === | ||
Editera /etc/pam.d/system: | |||
{{bc|1= | {{bc|1= | ||
# auth | # auth | ||
auth | auth sufficient pam_opie.so no_warn no_fake_prompts | ||
auth | auth requisite pam_opieaccess.so no_warn allow_local | ||
'''auth | '''auth sufficient /usr/local/lib/pam_sss.so forward_pass''' | ||
... | #auth sufficient pam_krb5.so no_warn try_first_pass | ||
#auth sufficient pam_ssh.so no_warn try_first_pass | |||
auth required pam_unix.so no_warn try_first_pass nullok | |||
# account | # account | ||
'''account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail''' | |||
'''account | #account required pam_krb5.so | ||
... | account required pam_login_access.so | ||
account required pam_unix.so | |||
# session | |||
#session optional pam_ssh.so want_agent | |||
session required pam_lastlog.so no_fail | |||
# password | # password | ||
'''password sufficient /usr/local/lib/ | '''password sufficient /usr/local/lib/pam_sss.so use_authtok''' | ||
password required pam_unix.so no_warn try_first_pass | #password sufficient pam_krb5.so no_warn try_first_pass | ||
password required pam_unix.so no_warn try_first_pass | |||
}} | }} | ||
Editera /etc/pam.d/sshd: | |||
{{bc|1= | |||
{{ | # auth | ||
auth sufficient pam_opie.so no_warn no_fake_prompts | |||
auth requisite pam_opieaccess.so no_warn allow_local | |||
'''auth sufficient /usr/local/lib/pam_sss.so forward_pass''' | |||
#auth sufficient pam_krb5.so no_warn try_first_pass | |||
auth sufficient pam_ssh.so no_warn try_first_pass | |||
auth required pam_unix.so no_warn try_first_pass | |||
# account | |||
account required pam_nologin.so | |||
'''account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail''' | |||
#account required pam_krb5.so | |||
account required pam_login_access.so | |||
account required pam_unix.so | |||
# session | |||
#session optional pam_ssh.so want_agent | |||
session required pam_permit.so | |||
# password | |||
'''password sufficient /usr/local/lib/pam_sss.so use_authtok''' | |||
#password sufficient pam_krb5.so no_warn try_first_pass | |||
password required pam_unix.so no_warn try_first_pass | |||
}} | }} | ||
== NSS == | |||
Editera /etc/nsswitch.conf: | Editera /etc/nsswitch.conf: | ||
{{bc| | {{bc| | ||
group: files | group: files sss | ||
passwd: files | passwd: files sss | ||
}} | }} | ||
Radera länken /etc/ssl/cert.pem och ersätt med ditt egna CA certifikat. | Radera länken /etc/ssl/cert.pem och ersätt med ditt egna CA certifikat. | ||
=== SSSD === | |||
Editera /usr/local/etc/sssd/sssd.conf: | |||
{{bc|1= | |||
[sssd] | |||
config_file_version = 2 | |||
services = nss, pam | |||
domains = LOCAL, EXAMPLE.COM | |||
[nss] | |||
filter_groups = root | |||
filter_users = root | |||
reconnection_retries = 3 | |||
entry_cache_timeout = 300 | |||
entry_cache_nowait_percentage = 75 | |||
#override_shell = /usr/local/bin/bash | |||
#override_homedir = /usr/home/%u | |||
[pam] | |||
reconnection_retries = 3 | |||
[domain/LOCAL] | |||
id_provider = local | |||
auth_provider = local | |||
access_provider = permit | |||
[domain/EXAMPLE.COM] | |||
debug_level = 0 | |||
min_id = 5000 | |||
cache_credentials = true | |||
id_provider = ldap | |||
auth_provider = krb5 | |||
chpass_provider = krb5 | |||
access_provider = simple | |||
sudo_provider = none | |||
ldap_uri = ldap://ns.example.com | |||
ldap_search_base = dc=example,dc=com | |||
ldap_id_use_start_tls = true | |||
ldap_tls_cacert = /etc/ssl/cert.pem | |||
krb5_realm = EXAMPLE.COM | |||
krb5_server = ns.example.com | |||
krb5_kpasswd = ns.example.com | |||
}} | |||
Skydda filen: | |||
{{RootCmd|chmod 600 /usr/local/etc/sssd/sssd.conf}} | |||
Editera /etc/rc.conf: | Editera /etc/rc.conf: | ||
{{bc|1= | {{bc|1= | ||
sssd_enable="YES" | |||
}} | }} | ||
Starta | Starta sssd: | ||
{{RootCmd|service | {{RootCmd|service sssd start | ||
}} | }} | ||
Verifiera med kommandona: | Verifiera med kommandona: | ||
{{RootCmd|getent passwd | {{RootCmd|getent passwd <username> | ||
|getent group | |getent group <groupname> | ||
}} | }} | ||
== SSH == | == SSH == | ||
För att kunna logga in med Kerberos ticket, editera filen /etc/ssh/sshd_config och ändra följande rad till: | |||
{{bc| | {{bc|GSSAPIAuthentication yes}} | ||
Starta om sshd med kommandot: | Starta om sshd med kommandot: | ||
{{RootCmd|service sshd restart}} | {{RootCmd|service sshd restart}} | ||
[[Category: | [[Category:GammalGuide]] | ||
Latest revision as of 19:46, 12 August 2023
Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i FreeBSD 10. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com.
Installera SSSD
Installera följande:
Välj Heimdal från systemetet, dvs BASE.
Välj GSSAPI. Slutligen installera SSSD:
Kerberos
Editera /etc/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = ns.example.com
admin_server = ns.example.com
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals:
Kör kadmin kommandot:
kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM
Spara sen nycklarna i filen /etc/krb5.keytab:
kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM
Logga ut från kadmin.
PAM
Editera /etc/pam.d/system:
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_sss.so forward_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail # password password sufficient /usr/local/lib/pam_sss.so use_authtok #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
Editera /etc/pam.d/sshd:
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_sss.so forward_pass #auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_permit.so # password password sufficient /usr/local/lib/pam_sss.so use_authtok #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass
NSS
Editera /etc/nsswitch.conf:
group: files sss passwd: files sss
Radera länken /etc/ssl/cert.pem och ersätt med ditt egna CA certifikat.
SSSD
Editera /usr/local/etc/sssd/sssd.conf:
[sssd] config_file_version = 2 services = nss, pam domains = LOCAL, EXAMPLE.COM [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 #override_shell = /usr/local/bin/bash #override_homedir = /usr/home/%u [pam] reconnection_retries = 3 [domain/LOCAL] id_provider = local auth_provider = local access_provider = permit [domain/EXAMPLE.COM] debug_level = 0 min_id = 5000 cache_credentials = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = simple sudo_provider = none ldap_uri = ldap://ns.example.com ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = true ldap_tls_cacert = /etc/ssl/cert.pem krb5_realm = EXAMPLE.COM krb5_server = ns.example.com krb5_kpasswd = ns.example.com
Skydda filen:
Editera /etc/rc.conf:
sssd_enable="YES"
Starta sssd:
Verifiera med kommandona:
SSH
För att kunna logga in med Kerberos ticket, editera filen /etc/ssh/sshd_config och ändra följande rad till:
GSSAPIAuthentication yes
Starta om sshd med kommandot: