KubilayKocak/SystemSecurityServicesDaemon

System Security Services Daemon (SSSD)

How to setup sssd authentication on FreeBSD guide.

The System Security Services Daemon (SSSD) is that provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA.

Contents

System Security Services Daemon (SSSD)
Install sssd
Configure sssd and enable at startup
Enable sssd with LDAP / other backend support
Integrate sssd authentication into PAM, sshd and sudo
Testing sssd integration
Enabling SSH keys via SSSD
Using default shell from SSSD LDAP backend
Creating LDAP users' home directories by default
Credits

Install sssd

Install sssd using Packages

```
  # pkg install sssd
```

or Ports

  # cd /usr/ports/security/sssd
  # make install clean

Configure sssd and enable at startup

Copy the default sssd sample configuration and secure it

  # cp /usr/local/etc/sssd/sssd.conf.sample /usr/local/etc/sssd/sssd.conf
  # chown root:wheel
  # chmod 600 /usr/local/etc/sssd/sssd.conf

Enable sssd at startup, using sysrc

```
  # sysrc sssd_enable=yes
```

or manually:

  # echo sssd_enable="YES" >> /etc/rc.conf

If you'd like to start the sssd service without rebooting

```
  # service sssd start
```

Enable sssd with LDAP / other backend support

The sudo port doesn't enable SSSD support by default (SSSD=off: Enable SSSD backend support), so building sudo via the port is necessary, either manually:

  # cd /usr/ports/security/sudo
  # make config

Ensure the SSSD option is enabled [x] SSSD - Enable SSSD backend support, press OK, then
```
  # make install clean
```

or using portmaster

  # portmaster --force-config security/portmaster

Ensure the SSSD option is enabled [x] SSSD - Enable SSSD backend support, and press OK

Integrate sssd authentication into PAM, sshd and sudo

Update /etc/pam.d/system to allow users to auth using sssd:

  ...
  # auth
  auth    sufficient      /usr/local/lib/pam_sss.so
  ...

Update /etc/pam.d/sshd to include the same addition to enable sssd authentication for sshd

# PAM configuration for the "sshd" service
#

# auth
auth    sufficient      /usr/local/lib/pam_sss.so
...

Add PAM sudo rules for sssd

Create /etc/pam.d/sudo if it doesn't already exist, then add the following entry:

   "auth sufficient /usr/local/lib/pam_sss.so"

Enable sssd UID and GID mapping, adding sudoers: files sss to /etc/nsswitch.conf

# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD$
#
group: files sss
group_compat: nis
...
rpc: files
sudoers: files sss

Testing sssd integration

After completing all of these steps, assuming sssd has started correctly (run service sssd status), it should be possible to check if an LDAP user exists, for example:

  # getent passwd jonathan
  jonathan:*:1000:1000:Jonathan:/home/jonathan:/bin/bash

Enabling SSH keys via SSSD

If you store SSH public keys in your LDAP server, there is a utility included with SSSD to grab them: sss_ssh_authorizedkeys.

Note: For the next step, if you're using sshd from ports or packages (instead of sshd from FreeBSD base), the default file path location is /usr/local/etc/ssh/sshd_config

Add the following lines to /etc/ssh/sshd_config

AuthorizedKeysCommand /usr/local/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

Using default shell from SSSD LDAP backend

If you store a user's shell in your LDAP schema, which most do, then bash being installed at /usr/local/bin/bash can be slightly problematic. One way of dealing with this, albeit a bit hacky ¹, is to create a symlink for bash at /bin/bash and additionally add a line to /etc/shells.

Note: If you do this, be sure not to ever use this "modified" shell for the root user.

# pkg install bash # in case you haven't already installed it
# ln -s /usr/local/bin/bash /bin/bash
# echo "/bin/bash" >> /etc/shells

Another option for handling this is to override the shell and force a known good shell for all users. Modify your sssd.conf to contain the following:

[domain/yourdomain]
...
override_shell = /usr/local/bin/bash

Creating LDAP users' home directories by default

Non-default LDAP user home directories

The default location for home directories in FreeBSD is /usr/home. In existing LDAP setups, its possible user home directories are /home/<user>. To fix this, you can set the following directive in your sssd.conf to override the default:

[domain/yourdomain]
...
override_homedir = /usr/home/%u

Automatic home directory creation.

LDAP users also likely won't have a home directory. To setup automatic home directory creation, install pam_mkhomedir using packages

```
  # pkg install pam_mkhomedir
```

Or Ports

  # cd /usr/ports/security/pam_mkhomedir
  # make install clean

Then modify /etc/pam.d/system, adding

# session
#session    optional  pam_ssh.so                      want_agent
session     required  /usr/local/lib/pam_mkhomedir.so

And modify in /etc/pam.d/ssh

# session
#session    optional  pam_ssh.so                      want_agent
session     required  /usr/local/lib/pam_mkhomedir.so

Credits

Article originally written by jrdemasi² ³

CategoryHowTo CategorySecurity

It would be nice to make this not shell specific and how to make it work with default shell installation locations (1)
https://twitter.com/jrdemasi/status/1581485632878440448 (2)
https://wiki.jthan.io/en/systems_administration/freebsd (3)

KubilayKocak/SystemSecurityServicesDaemon (last edited 2022-11-03T23:55:01+0000 by KubilayKocak)