LDAP authentication for SSH/console on 2.1
-
Hi
Has anyone managed to get LDAP authentication working on the CLI (SSH/console)? We've got it working for the WebCfg GUI, but fail to make it work on the CLI. We've also got it working on our linux server estate, so we are familiar with the configuration.
We've installed the nss-pam-ldapd library, but ldapsearch continues to complain about this:
/libexec/ld-elf.so.1: /usr/lib/libssl.so.6: unsupported file layout
We've tried disabling all SSL references in /usr/local/etc/ldap.conf, but the error persists… :-\
We've also tried re-installing the openssl libraries, again to no avail.
Can't find anything on google or this forum on this topic...
Any pointers would be appreciated!
Thanks
-
"unsupported file layout" usually means a 32-bit/64-bit mismatch, so if you copied some other library to the firewall, it was from the wrong architecture.
I haven't heard of anyone getting LDAP to work for SSH logins yet, but I know it works on FreeBSD so it should be possible in theory.
-
We've started all over again and were able to get LDAP CLI authentication working :-)
We now have it on both the webcfg as well as the CLI, which was getting increasingly needed, as we are getting close to 100 virtual pfsense firewalls and local user accounts were getting unmanageable.
Some rough notes:
###login with ssh & std admin user 1) /etc/nsswitch.conf group: files ldap # group_compat: nis hosts: files dns networks: files passwd: files ldap # passwd_compat: nis shells: files services: files # services_compat: nis protocols: files rpc: files 2) pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/net/openldap-client-2.4.26.tbz pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/nss-pam-ldapd.tbz 3) /usr/local/etc/nslcd.conf # The underprivileged user and group used for running the daemon. uid nslcd gid nslcd uri ldaps://ldap1.local.domain ldaps://ldap2.local.domain ldap_version 3 base ou=somedepartment,dc=local,dc=domain bind_timelimit 30 tls_reqcert allow ssl on 4) /etc/pam.d/sshd: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.8.2 2012/11/17 08:24:38 svnexp Exp $ # # PAM configuration for the "sshd" service # # auth auth sufficient /usr/local/lib/pam_ldap.so no_warn md5 auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass 5) /etc/pam.d/system # # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass md5 auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account required /usr/local/lib/pam_ldap.so ignore_unknown_user ignore_authinfo_unavail account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass 6) install sudo package in webgui 7) install shellcmds in webgui 8) add shellcmd via webgui -> services -> shellcmd: nslcd shellcmd 9) hack the sudo.inc file, because we can not add the sysadmins group manually, because the sudoers file is reset on boot AND we can not add it in webgui, because the sysadmins group isn't allowed: /usr/local/pkg/sudo.inc ... foreach ($sudocfg as $sudo_commands) { // (user|group) ALL=(ALL|user spec) ALL|command list list($etype, $ename) = explode(":", $sudo_commands['username']); $user = ($etype == "group") ? "%{$ename}" : $ename; list($rtype, $rname) = explode(":", $sudo_commands['runas']); $runas = ($rtype == "group") ? ":{$rname}" : $rname; $nopasswd = ($sudo_commands['nopasswd'] == "ON") ? "NOPASSWD:" : ""; $commands = (empty($sudo_commands['cmdlist'])) ? "ALL" : $sudo_commands['cmdlist']; $commands = ($commands == "all") ? "ALL" : $commands; $sudoers .= "{$user} ALL=({$runas}) {$nopasswd} {$commands}n"; } $sudoers .= "%sysadmins ALL=(ALL) ALLn"; /* Check validity of the sudoers data created above. */ $tmpsudoers = tempnam("/tmp", "sudoers"); ... 10) let's make su work as non-root user: /etc/pam.d/su : # # $FreeBSD: src/etc/pam.d/su,v 1.16.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $ # # PAM configuration for the "su" service # # auth auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn #auth requisite pam_group.so no_warn group=wheel root_only fail_safe auth include system # account account include system # session session required pam_permit.so 11) cp /usr/pbi/sudo-amd64/etc/pam.d/sudo /etc/pam.d 12) /etc/ssh/sshd_config PermitRootLogin yes Compression yes ClientAliveInterval 30 UseDNS no X11Forwarding no # Login via Key and Password PasswordAuthentication yes ChallengeResponseAuthentication yes PubkeyAuthentication yes # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server Protocol 2 Port 22 Allowgroups sysadmins ###login with ssh & ldap user sudo su
