System Security Services Daemon (SSSD)
How to setup sssd authentication on FreeBSD guide.
The System Security Services Daemon (SSSD) is that provides a set of daemons to manage access to remote directories and authentication mechanisms such as LDAP, Kerberos or FreeIPA.
Contents
- System Security Services Daemon (SSSD)
- Install sssd
- Configure sssd and enable at startup
- Enable sssd with LDAP / other backend support
- Integrate sssd authentication into PAM, sshd and sudo
- Testing sssd integration
- Enabling SSH keys via SSSD
- Using default shell from SSSD LDAP backend
- Creating LDAP users' home directories by default
- Credits
Install sssd
Install sssd using Packages
# pkg install sssd
or Ports
# cd /usr/ports/security/sssd # make install clean
Configure sssd and enable at startup
Copy the default sssd sample configuration and secure it
# cp /usr/local/etc/sssd/sssd.conf.sample /usr/local/etc/sssd/sssd.conf # chown root:wheel # chmod 600 /usr/local/etc/sssd/sssd.conf
Enable sssd at startup, using sysrc
# sysrc sssd_enable=yes
or manually:
# echo sssd_enable="YES" >> /etc/rc.conf
If you'd like to start the sssd service without rebooting
# service sssd start
Enable sssd with LDAP / other backend support
The sudo port doesn't enable SSSD support by default (SSSD=off: Enable SSSD backend support), so building sudo via the port is necessary, either manually:
# cd /usr/ports/security/sudo # make config
Ensure the SSSD option is enabled [x] SSSD - Enable SSSD backend support, press OK, then
# make install clean
or using portmaster
# portmaster --force-config security/portmaster
Ensure the SSSD option is enabled [x] SSSD - Enable SSSD backend support, and press OK
Integrate sssd authentication into PAM, sshd and sudo
Update /etc/pam.d/system to allow users to auth using sssd:
... # auth auth sufficient /usr/local/lib/pam_sss.so ...
Update /etc/pam.d/sshd to include the same addition to enable sssd authentication for sshd
# PAM configuration for the "sshd" service # # auth auth sufficient /usr/local/lib/pam_sss.so ...
Add PAM sudo rules for sssd
Create /etc/pam.d/sudo if it doesn't already exist, then add the following entry:
"auth sufficient /usr/local/lib/pam_sss.so"
Enable sssd UID and GID mapping, adding sudoers: files sss to /etc/nsswitch.conf
# nsswitch.conf(5) - name service switch configuration file # $FreeBSD$ # group: files sss group_compat: nis ... rpc: files sudoers: files sss
Testing sssd integration
After completing all of these steps, assuming sssd has started correctly (run service sssd status), it should be possible to check if an LDAP user exists, for example:
# getent passwd jonathan jonathan:*:1000:1000:Jonathan:/home/jonathan:/bin/bash
Enabling SSH keys via SSSD
If you store SSH public keys in your LDAP server, there is a utility included with SSSD to grab them: sss_ssh_authorizedkeys.
Note: For the next step, if you're using sshd from ports or packages (instead of sshd from FreeBSD base), the default file path location is /usr/local/etc/ssh/sshd_config
Add the following lines to /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/local/bin/sss_ssh_authorizedkeys AuthorizedKeysCommandUser nobody
Using default shell from SSSD LDAP backend
If you store a user's shell in your LDAP schema, which most do, then bash being installed at /usr/local/bin/bash can be slightly problematic. One way of dealing with this, albeit a bit hacky 1, is to create a symlink for bash at /bin/bash and additionally add a line to /etc/shells.
Note: If you do this, be sure not to ever use this "modified" shell for the root user.
# pkg install bash # in case you haven't already installed it # ln -s /usr/local/bin/bash /bin/bash # echo "/bin/bash" >> /etc/shells
Another option for handling this is to override the shell and force a known good shell for all users. Modify your sssd.conf to contain the following:
[domain/yourdomain] ... override_shell = /usr/local/bin/bash
Creating LDAP users' home directories by default
Non-default LDAP user home directories
The default location for home directories in FreeBSD is /usr/home. In existing LDAP setups, its possible user home directories are /home/<user>. To fix this, you can set the following directive in your sssd.conf to override the default:
[domain/yourdomain] ... override_homedir = /usr/home/%u
Automatic home directory creation.
LDAP users also likely won't have a home directory. To setup automatic home directory creation, install pam_mkhomedir using packages
# pkg install pam_mkhomedir
Or Ports
# cd /usr/ports/security/pam_mkhomedir # make install clean
Then modify /etc/pam.d/system, adding
# session #session optional pam_ssh.so want_agent session required /usr/local/lib/pam_mkhomedir.so
And modify in /etc/pam.d/ssh
# session #session optional pam_ssh.so want_agent session required /usr/local/lib/pam_mkhomedir.so
Credits
CategoryHowTo CategorySecurity
It would be nice to make this not shell specific and how to make it work with default shell installation locations (1)