LDAP authentication for SSH/console on 2.1



  • Hi

    Has anyone managed to get LDAP authentication working on the CLI (SSH/console)? We've got it working for the WebCfg GUI, but fail to make it work on the CLI. We've also got it working on our linux server estate, so we are familiar with the configuration.

    We've installed the nss-pam-ldapd library, but ldapsearch continues to complain about this:

    /libexec/ld-elf.so.1: /usr/lib/libssl.so.6: unsupported file layout

    We've tried disabling all SSL references in /usr/local/etc/ldap.conf, but the error persists…  :-\

    We've also tried re-installing the openssl libraries, again to no avail.

    Can't find anything on google or this forum on this topic...

    Any pointers would be appreciated!

    Thanks


  • Rebel Alliance Developer Netgate

    "unsupported file layout" usually means a 32-bit/64-bit mismatch, so if you copied some other library to the firewall, it was from the wrong architecture.

    I haven't heard of anyone getting LDAP to work for SSH logins yet, but I know it works on FreeBSD so it should be possible in theory.



  • We've started all over again and were able to get LDAP CLI authentication working :-)

    We now have it on both the webcfg as well as the CLI, which was getting increasingly needed, as we are getting close to 100 virtual pfsense firewalls and local user accounts were getting unmanageable.

    Some rough notes:

    ###login with ssh & std admin user
    
    1) /etc/nsswitch.conf
    
    group: files ldap
    # group_compat: nis
    hosts: files dns
    networks: files
    passwd: files ldap
    # passwd_compat: nis
    shells: files
    services: files
    # services_compat: nis
    protocols: files
    rpc: files
    
    2)
    pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/net/openldap-client-2.4.26.tbz
    pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/Latest/nss-pam-ldapd.tbz
    
    3) /usr/local/etc/nslcd.conf
    
    # The underprivileged user and group used for running the daemon.
    uid nslcd
    gid nslcd
    
    uri ldaps://ldap1.local.domain ldaps://ldap2.local.domain
    ldap_version 3
    base ou=somedepartment,dc=local,dc=domain
    
    bind_timelimit 30
    tls_reqcert allow
    ssl on
    
    4) /etc/pam.d/sshd:
    
    #
    # $FreeBSD: src/etc/pam.d/sshd,v 1.16.10.1.8.2 2012/11/17 08:24:38 svnexp Exp $
    #
    # PAM configuration for the "sshd" service
    #
    
    # auth
    auth          sufficient    /usr/local/lib/pam_ldap.so  no_warn md5
    auth            sufficient      pam_opie.so             no_warn no_fake_prompts
    auth            requisite       pam_opieaccess.so       no_warn allow_local
    #auth           sufficient      pam_krb5.so             no_warn try_first_pass
    #auth           sufficient      pam_ssh.so              no_warn try_first_pass
    auth            required        pam_unix.so             no_warn try_first_pass
    
    # account
    account         required        pam_nologin.so
    #account        required        pam_krb5.so
    account         required        pam_login_access.so
    account         required        pam_unix.so
    
    # session
    #session        optional        pam_ssh.so
    session         required        pam_permit.so
    
    # password
    #password       sufficient      pam_krb5.so             no_warn try_first_pass
    password        required        pam_unix.so             no_warn try_first_pass
    
    5) /etc/pam.d/system    
    #
    # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $
    #
    # System-wide defaults
    #
    
    # auth
    auth            sufficient      pam_opie.so             no_warn no_fake_prompts
    auth            requisite       pam_opieaccess.so       no_warn allow_local
    #auth           sufficient      pam_krb5.so             no_warn try_first_pass
    #auth           sufficient      pam_ssh.so              no_warn try_first_pass
    auth            sufficient  /usr/local/lib/pam_ldap.so   no_warn try_first_pass md5
    auth            required        pam_unix.so             no_warn try_first_pass nullok
    
    # account
    #account        required        pam_krb5.so
    account         required        pam_login_access.so
     account         required    /usr/local/lib/pam_ldap.so   ignore_unknown_user ignore_authinfo_unavail
    account         required        pam_unix.so
    
    # session
    #session        optional        pam_ssh.so
    session         required        pam_lastlog.so          no_fail
    
    # password
    #password       sufficient      pam_krb5.so             no_warn try_first_pass
    password        required        pam_unix.so             no_warn try_first_pass
    
    6) install sudo package in webgui
    7) install shellcmds in webgui
    
    8) add shellcmd via webgui -> services -> shellcmd:
    nslcd     shellcmd
    
    9) hack the sudo.inc file, because we can not add the sysadmins group manually, because the sudoers file is reset on boot AND we can not add it in webgui, because the sysadmins group isn't allowed:
    
    /usr/local/pkg/sudo.inc
    
    ...
            foreach ($sudocfg as $sudo_commands) {
                    // (user|group) ALL=(ALL|user spec) ALL|command list
                    list($etype, $ename) = explode(":", $sudo_commands['username']);
                    $user = ($etype == "group") ? "%{$ename}" : $ename;
                    list($rtype, $rname) = explode(":", $sudo_commands['runas']);
                    $runas = ($rtype == "group") ? ":{$rname}" : $rname;
                    $nopasswd = ($sudo_commands['nopasswd'] == "ON") ? "NOPASSWD:" : "";
                    $commands = (empty($sudo_commands['cmdlist'])) ? "ALL" : $sudo_commands['cmdlist'];
                    $commands = ($commands == "all") ? "ALL" : $commands;
                    $sudoers .= "{$user} ALL=({$runas}) {$nopasswd} {$commands}n";
            }
            $sudoers .= "%sysadmins ALL=(ALL) ALLn";
            /* Check validity of the sudoers data created above. */
            $tmpsudoers = tempnam("/tmp", "sudoers");
    ...
    
    10) let's make su work as non-root user:
    
    /etc/pam.d/su :
    
    #
    # $FreeBSD: src/etc/pam.d/su,v 1.16.32.1.8.2 2012/11/17 08:24:38 svnexp Exp $
    #
    # PAM configuration for the "su" service
    #
    
    # auth
    auth            sufficient      pam_rootok.so           no_warn
    auth            sufficient      pam_self.so             no_warn
    
    #auth           requisite       pam_group.so            no_warn group=wheel root_only fail_safe
    auth            include         system
    
    # account
    account         include         system
    
    # session
    session         required        pam_permit.so
    
    11) cp /usr/pbi/sudo-amd64/etc/pam.d/sudo /etc/pam.d
    
    12) /etc/ssh/sshd_config
    
    PermitRootLogin yes
    Compression yes
    ClientAliveInterval 30
    UseDNS no
    X11Forwarding no
    # Login via Key and Password
    PasswordAuthentication yes
    ChallengeResponseAuthentication yes
    PubkeyAuthentication yes
    # override default of no subsystems
    Subsystem       sftp    /usr/libexec/sftp-server
    Protocol 2
    Port 22
    Allowgroups sysadmins
    
    ###login with ssh & ldap user
    sudo su
    

Log in to reply