Integrating FreeBSD into Active Directory – Part 2

In my previous post, I explained how to join a FreeBSD host to Active Directory. In this post, I’ll show you how I was able to limit the scope of people allowed to SSH into my FreeBSD host.

Active Directory Group: BSD-SSHGROUP (group for authorized users to login)

First, you’ll want to edit /etc/pam.d/sshd so it reflects the following:

# $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
# PAM configuration for the "sshd" service

# auth
auth            sufficient             no_warn no_fake_prompts
auth            requisite       no_warn allow_local
<strong>auth            sufficient      /usr/local/lib/ try_first_pass require_membership_of=EXAMPLE\\BSD-SSHGROUP</strong>
#auth           sufficient             no_warn try_first_pass
#auth           sufficient              no_warn try_first_pass
auth            required             no_warn try_first_pass

# account
account         required
#account        required
account         required
account         required

# session
#session        optional              want_agent
<strong>session         required        /usr/local/lib/ krb5_auth mkhomedir</strong>
session         required

# password
#password       sufficient             no_warn try_first_pass
<strong>password        sufficient      /usr/local/lib/</strong>
password        required             no_warn try_first_pass

As for note, instead of a group name, you can use the SID, like “require_membership_of=S-1-5-21-1328793019-4053271937-1264903302-512.”
If we want to add additional groups, we simply add an identical line, and just use a different group name/SID.
To satisfy your curiosity, we can lookup SID’s by using wbinfo -n “BSD-SSHGROUP”.

Restricting SU Access

There are several methods to do this documented on the Internet, however the only method I have been able to work successfully is to simply add the users to the local wheel group:

pw groupmod wheel -M administrator

This entry was posted in Active Directory and tagged , , , , . Bookmark the permalink.

Comments are closed.