This guide will describe how to enable SSH login to your FreeBSD server using your AD credentials. You can also restrict SSH access to members of a particular AD group.
- Update system:
# pkg update -y # pkg upgrade -y
- Edit /usr/local/etc/smb4.conf and add the following lines to the [global] stanza:
winbind use default domain = yes template homedir = /home/%D/%U template shell = /bin/csh
- Ensure /etc/rc.conf contains:
samba_enable="YES" winbindd_enable="YES"
- Restart SAMBA services:
# service samba_server restart
- Edit /etc/pam.d/sshd and add the following lines as noted:
# # $FreeBSD: release/10.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $ # # PAM configuration for the "sshd" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so try_first_pass require_membership_of=DOMAIN\\LinuxSSH <-- THIS ONE #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so # account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so want_agent session required /usr/local/lib/pam_winbind.so krb5_auth mkhomedir <-- THIS ONE session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_winbind.so <-- THIS ONE password required pam_unix.so no_warn try_first_pass
- If you left the require_membership_of= option on the auth line, you will need to create the group on your DC and add any users who should have SSH access. You will also need to add their usernames to the wheel group on the FreeBSD server or modify /etc/pam.d/su and change the group which is authorised to SU.
pw groupmod wheel -M administrator
- You should then be able to SSH into your server and login as an AD account.