Autentisering via LDAP och Kerberos i FreeBSD 10: Difference between revisions
| Line 31: | Line 31: | ||
auth sufficient pam_opie.so no_warn no_fake_prompts | auth sufficient pam_opie.so no_warn no_fake_prompts | ||
auth requisite pam_opieaccess.so no_warn allow_local | auth requisite pam_opieaccess.so no_warn allow_local | ||
''auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000'' | '''auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000''' | ||
... | |||
# account | # account | ||
account required pam_nologin.so | account required pam_nologin.so | ||
''account required /usr/local/lib/security/pam_krb5.so minimum_uid=5000'' | '''account required /usr/local/lib/security/pam_krb5.so minimum_uid=5000''' | ||
account required pam_login_access.so | account required pam_login_access.so | ||
account required pam_unix.so | account required pam_unix.so | ||
.. | ... | ||
# password | # password | ||
''password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000'' | '''password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000''' | ||
password required pam_unix.so no_warn try_first_pass | password required pam_unix.so no_warn try_first_pass | ||
}} | }} | ||
Revision as of 08:49, 20 October 2015
Denna guide är under utveckling.
Denna guide visar hur man sätter upp en FreeBSD 10 maskin att autentisera användare via Kerberos och hämta användarinformation från LDAP.
Kerberos
Installera följande:
Välj att länka mot Heimdal Kerberos. Editera /etc/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = kdc.example.com
admin_server = kdc.example.com
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Skapa en Kerberos principal för host/<host>.example.com och kopiera nycklarna till /etc/krb5.keytab.
Editera /etc/pam.d/sshd och lägg till 3 st Kerberos rader:
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000 ... # account account required pam_nologin.so account required /usr/local/lib/security/pam_krb5.so minimum_uid=5000 account required pam_login_access.so account required pam_unix.so ... # password password sufficient /usr/local/lib/security/pam_krb5.so try_first_pass minimum_uid=5000 password required pam_unix.so no_warn try_first_pass
LDAP
Installera net/nss-pam-ldapd utan pam_ldap stödet. Vi ska ju inte autentisera mot LDAP:
Editera /usr/local/etc/nslcd.conf:
uid nslcd gid nslcd uri ldap://ldap.example.com/ base dc=example,dc=com ssl start_tls tls_cacertfile /etc/ssl/cert.pem
Editera /etc/nsswitch.conf:
group: files ldap passwd: files ldap
Radera länken /etc/ssl/cert.pem och ersätt med ditt egna CA certifikat.
Editera /etc/rc.conf:
nscd=_enable="YES" nslcd_enable="YES"
Starta nscd och nslcd:
Verifiera med kommandona:
SSH
Editera filen /etc/ssh/sshd_config och lägg till följande:
KerberosAuthentication yes
Starta om sshd med kommandot: