Autentisering via LDAP och Kerberos i FreeBSD 10: Difference between revisions
Jump to navigation
Jump to search
m →LDAP |
m →PAM |
||
| Line 43: | Line 43: | ||
=== PAM === | === PAM === | ||
Editera /etc/pam.d/system | Editera /etc/pam.d/system: | ||
{{bc|1= | {{bc|1= | ||
auth | # auth | ||
account required pam_krb5.so | auth sufficient pam_opie.so no_warn no_fake_prompts | ||
password sufficient | auth requisite pam_opieaccess.so no_warn allow_local | ||
#auth sufficient pam_krb5.so no_warn try_first_pass | |||
auth sufficient /usr/local/lib/pam_sss.so forward_pass | |||
#auth sufficient pam_ssh.so no_warn try_first_pass | |||
auth required pam_unix.so no_warn try_first_pass nullok | |||
# account | |||
#account required pam_krb5.so | |||
account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail | |||
account required pam_login_access.so | |||
account required pam_unix.so | |||
# session | |||
#session optional pam_ssh.so want_agent | |||
session required pam_lastlog.so no_fail | |||
# password | |||
#password sufficient pam_krb5.so no_warn try_first_pass | |||
password sufficient /usr/local/lib/pam_sss.so use_authtok | |||
password required pam_unix.so no_warn try_first_pass | |||
}} | }} | ||
Editera /etc/pam.d/sshd | Editera /etc/pam.d/sshd: | ||
{{bc|1= | {{bc|1= | ||
auth | # auth | ||
account required pam_krb5.so | auth sufficient pam_opie.so no_warn no_fake_prompts | ||
password | auth requisite pam_opieaccess.so no_warn allow_local | ||
#auth sufficient pam_krb5.so no_warn try_first_pass | |||
auth sufficient /usr/local/lib/pam_sss.so forward_pass | |||
auth sufficient pam_ssh.so no_warn try_first_pass | |||
auth required pam_unix.so no_warn try_first_pass | |||
# account | |||
account required pam_nologin.so | |||
#account required pam_krb5.so | |||
account required /usr/local/lib/pam_sss.so ignore_unknown_user | |||
account required pam_login_access.so | |||
account required pam_unix.so | |||
# session | |||
#session optional pam_ssh.so want_agent | |||
session required pam_permit.so | |||
# password | |||
#password sufficient pam_krb5.so no_warn try_first_pass | |||
password sufficient /usr/local/lib/pam_sss.so use_authtok | |||
password required pam_unix.so no_warn try_first_pass | |||
}} | }} | ||
Revision as of 21:00, 19 December 2015
Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i FreeBSD 10. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com.
Installera SSSD
Installera följande:
Välj Heimdal från systemetet, dvs BASE.
Välja GSSAPI.
Slutligen installera SSSD:
Kerberos
Editera /etc/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = ns.example.com
admin_server = ns.example.com
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals:
Kör kadmin kommandot:
kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM
Spara sen nycklarna i filen /etc/krb5.keytab:
kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM
Logga ut från kadmin.
PAM
Editera /etc/pam.d/system:
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_sss.so forward_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so use_authtok password required pam_unix.so no_warn try_first_pass
Editera /etc/pam.d/sshd:
# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_sss.so forward_pass auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required /usr/local/lib/pam_sss.so ignore_unknown_user account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_sss.so use_authtok password required pam_unix.so no_warn try_first_pass
NSS
Installera net/nss-pam-ldapd utan pam_ldap stödet. Vi ska ju inte autentisera mot LDAP:
Editera /usr/local/etc/nslcd.conf:
uid nslcd gid nslcd uri ldap://ns.example.com/ base dc=example,dc=com ssl start_tls tls_cacertfile /etc/ssl/cert.pem
Editera /etc/nsswitch.conf:
group: files sss passwd: files sss
Radera länken /etc/ssl/cert.pem och ersätt med ditt egna CA certifikat.
Editera /etc/rc.conf:
nscd_enable="YES" nslcd_enable="YES"
Starta nscd och nslcd:
Verifiera med kommandona:
SSH
För att kunna logga in med Kerberos ticket, editera filen /etc/ssh/sshd_config och ändra följande rad till:
GSSAPIAuthentication yes
Starta om sshd med kommandot: