System Security Services Daemon (SSSD)

How to setup sssd authentication on FreeBSD guide.

The System Security Services Daemon (SSSD) is that provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA.

Install sssd

Install sssd using Packages

or Ports

Configure sssd and enable at startup

Copy the default sssd sample configuration and secure it

Enable sssd at startup, using sysrc

or manually:

If you'd like to start the sssd service without rebooting

Enable sssd with LDAP / other backend support

The sudo port doesn't enable SSSD support by default (SSSD=off: Enable SSSD backend support), so building sudo via the port is necessary, either manually:

or using portmaster

Integrate sssd authentication into PAM, sshd and sudo

Update /etc/pam.d/system to allow users to auth using sssd:

Update /etc/pam.d/sshd to include the same addition to enable sssd authentication for sshd

Add PAM sudo rules for sssd

Create /etc/pam.d/sudo if it doesn't already exist, then add the following entry:

Enable sssd UID and GID mapping, adding sudoers: files sss to /etc/nsswitch.conf

Testing sssd integration

After completing all of these steps, assuming sssd has started correctly (run service sssd status), it should be possible to check if an LDAP user exists, for example:

Enabling SSH keys via SSSD

If you store SSH public keys in your LDAP server, there is a utility included with SSSD to grab them: sss_ssh_authorizedkeys.

Note: For the next step, if you're using sshd from ports or packages (instead of sshd from FreeBSD base), the default file path location is /usr/local/etc/ssh/sshd_config

Add the following lines to /etc/ssh/sshd_config

Using default shell from SSSD LDAP backend

If you store a user's shell in your LDAP schema, which most do, then bash being installed at /usr/local/bin/bash can be slightly problematic. One way of dealing with this, albeit a bit hacky 1, is to create a symlink for bash at /bin/bash and additionally add a line to /etc/shells.

Note: If you do this, be sure not to ever use this "modified" shell for the root user.

Another option for handling this is to override the shell and force a known good shell for all users. Modify your sssd.conf to contain the following:

Creating LDAP users' home directories by default

Non-default LDAP user home directories

The default location for home directories in FreeBSD is /usr/home. In existing LDAP setups, its possible user home directories are /home/<user>. To fix this, you can set the following directive in your sssd.conf to override the default:

Automatic home directory creation.

LDAP users also likely won't have a home directory. To setup automatic home directory creation, install pam_mkhomedir using packages

Or Ports

Then modify /etc/pam.d/system, adding

And modify in /etc/pam.d/ssh


CategoryHowTo CategorySecurity

  1. It would be nice to make this not shell specific and how to make it work with default shell installation locations (1)

  2. (2)

  3. (3)

KubilayKocak/SystemSecurityServicesDaemon (last edited 2022-11-03T23:55:01+0000 by KubilayKocak)