FreeBSD 10 PAM_Winbind SSH Login

This guide will describe how to enable SSH login to your FreeBSD server using your AD credentials. You can also restrict SSH access to members of a particular AD group.

  1. Update system:
    # pkg update -y
    # pkg upgrade -y
  2. Edit /usr/local/etc/smb4.conf and add the following lines to the [global] stanza:
    winbind use default domain = yes
    template homedir = /home/%D/%U
    template shell = /bin/csh
  3. Ensure /etc/rc.conf contains:
    samba_enable="YES"
    winbindd_enable="YES"
  4. Restart SAMBA services:
    # service samba_server restart
  5. Edit /etc/pam.d/sshd and add the following lines as noted:
    #
    # $FreeBSD: release/10.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
    #
    # PAM configuration for the "sshd" service
    #
    
    # auth
    auth            sufficient      pam_opie.so             no_warn no_fake_prompts
    auth            requisite       pam_opieaccess.so       no_warn allow_local
    auth            sufficient	/usr/local/lib/pam_winbind.so try_first_pass require_membership_of=DOMAIN\\LinuxSSH	<-- THIS ONE
    #auth           sufficient      pam_krb5.so             no_warn try_first_pass
    #auth           sufficient      pam_ssh.so              no_warn try_first_pass
    auth            required        pam_unix.so             no_warn try_first_pass
    
    # account
    account         required        pam_nologin.so
    # account       required        pam_krb5.so
    account         required        pam_login_access.so
    account         required        pam_unix.so
    
    # session
    #session        optional        pam_ssh.so              want_agent
    session		required	/usr/local/lib/pam_winbind.so krb5_auth mkhomedir <-- THIS ONE
    session         required        pam_permit.so
    
    # password
    #password       sufficient      pam_krb5.so             no_warn try_first_pass
    password	sufficient	/usr/local/lib/pam_winbind.so	<-- THIS ONE
    password        required        pam_unix.so             no_warn try_first_pass
  6. If you left the require_membership_of= option on the auth line, you will need to create the group on your DC and add any users who should have SSH access. You will also need to add their usernames to the wheel group on the FreeBSD server or modify /etc/pam.d/su and change the group which is authorised to SU.
    pw groupmod wheel -M administrator
  7. You should then be able to SSH into your server and login as an AD account.

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website