Autentisering via LDAP och Kerberos i FreeBSD 10

Denna guide visar hur man sätter upp autentisering via LDAP/Kerberos i FreeBSD 10. Vi kommer använda SSSD och i guiden heter Kerberos realm EXAMPLE.COM och servern med Kerberos och LDAP heter ns.example.com. Klienten vi sätter upp heter client.example.com.

Installera SSSD

Installera följande:

Välj Heimdal från systemetet, dvs BASE.

Välj GSSAPI. Slutligen installera SSSD:

Kerberos

Editera /etc/krb5.conf:

[libdefaults]
    default_realm = EXAMPLE.COM

[realms]
    EXAMPLE.COM = {
        kdc = ns.example.com
        admin_server = ns.example.com
        default_domain = example.com
    }

[domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

Skapa en keytab fil för klienten. Logga in mot din KDC med admin-konto som har rättighet att skapa Kerberos principals:

Kör kadmin kommandot:

kadmin: addprinc -randkey host/client.example.com@EXAMPLE.COM

Spara sen nycklarna i filen /etc/krb5.keytab:

kadmin: ktadd -k /etc/krb5.keytab host/client.example.com@EXAMPLE.COM

Logga ut från kadmin.

PAM

Editera /etc/pam.d/system:

# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
auth    	sufficient      /usr/local/lib/pam_sss.so forward_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass nullok

# account
#account	required	pam_krb5.so
account         required        /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
account		required	pam_login_access.so
account		required	pam_unix.so

# session
#session	optional	pam_ssh.so		want_agent
session		required	pam_lastlog.so		no_fail

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password        sufficient      /usr/local/lib/pam_sss.so use_authtok
password	required	pam_unix.so		no_warn try_first_pass

Editera /etc/pam.d/sshd:

# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
auth           	sufficient      /usr/local/lib/pam_sss.so forward_pass
auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		required	pam_unix.so		no_warn try_first_pass

# account
account		required	pam_nologin.so
#account	required	pam_krb5.so
account         required        /usr/local/lib/pam_sss.so ignore_unknown_user ignore_authinfo_unavail
account		required	pam_login_access.so
account		required	pam_unix.so

# session
#session	optional	pam_ssh.so		want_agent
session		required	pam_permit.so

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password       	sufficient      /usr/local/lib/pam_sss.so use_authtok
password	required	pam_unix.so		no_warn try_first_pass

NSS

Editera /etc/nsswitch.conf:

group: files sss
passwd: files sss

Radera länken /etc/ssl/cert.pem och ersätt med ditt egna CA certifikat.

SSSD

Editera /usr/local/etc/sssd/sssd.conf:

[sssd]
config_file_version = 2
services = nss, pam
domains = LOCAL, EXAMPLE.COM

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3

[domain/LOCAL]
id_provider = local
auth_provider = local
access_provider = permit

[domain/EXAMPLE.COM]
debug_level = 0
enumerate = true
min_id = 5000
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = simple
sudo_provider = none

ldap_uri = ldap://ns.example.com
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_cacert = /etc/ssl/cert.pem

krb5_realm = EXAMPLE.COM
krb5_server = ns.example.com
krb5_kpasswd = ns.example.com

Skydda filen:

Editera /etc/rc.conf:

sssd_enable="YES"

Starta sssd:

Verifiera med kommandona:

SSH

För att kunna logga in med Kerberos ticket, editera filen /etc/ssh/sshd_config och ändra följande rad till:

GSSAPIAuthentication yes

Starta om sshd med kommandot: