Integrating FreeBSD into Active Directory – Part 2

In my previous post, I explained how to join a FreeBSD host to Active Directory. In this post, I’ll show you how I was able to limit the scope of people allowed to SSH into my FreeBSD host.

Assumptions:
Domain: EXAMPLE.LOCAL
Active Directory Group: BSD-SSHGROUP (group for authorized users to login)

First, you’ll want to edit /etc/pam.d/sshd so it reflects the following:

#
# $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
<strong>auth            sufficient      /usr/local/lib/pam_winbind.so try_first_pass require_membership_of=EXAMPLE\\BSD-SSHGROUP</strong>
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
<strong>session         required        /usr/local/lib/pam_winbind.so krb5_auth mkhomedir</strong>
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
<strong>password        sufficient      /usr/local/lib/pam_winbind.so</strong>
password        required        pam_unix.so             no_warn try_first_pass

As for note, instead of a group name, you can use the SID, like “require_membership_of=S-1-5-21-1328793019-4053271937-1264903302-512.”
If we want to add additional groups, we simply add an identical line, and just use a different group name/SID.
To satisfy your curiosity, we can lookup SID’s by using wbinfo -n “BSD-SSHGROUP”.

Restricting SU Access

There are several methods to do this documented on the Internet, however the only method I have been able to work successfully is to simply add the users to the local wheel group:

pw groupmod wheel -M administrator

This entry was posted in Active Directory and tagged , , , , . Bookmark the permalink.

Comments are closed.