Permalink
Fetching contributors…
Cannot retrieve contributors at this time
80 lines (64 sloc) 2.99 KB
This file describes how to configure pam_hbac for access control on a
FreeBSD machine.
Disclaimer
==========
Please note that recent FreeBSD versions ship with SSSD. You should only use
pam_hbac if for some reason you can't use SSSD on your FreeBSD machine or if
you use an SSSD version that doesn't ship with the "ipa" id_provider.
Prerequisities
==============
Please make sure your FreeBSD client is able to resolve and authenticate
the IPA or AD users. For example, for users coming from an AD trust:
$ id administrator@win.trust.test
$ su - administrator@win.trust.test
A good starting point for this configuration is to run:
$ ipa-advise config-freebsd-nss-pam-ldapd
on an IPA server.
Building from source
====================
Please make sure all required dependencies are installed. On FreeBSD
10.2-RELEASE, this would be:
# pkg install autoconf automake libtool gettext pkgconf \
openldap-client glib
If you want the manual pages to be generated during build, also install
the following optional build dependency:
# pkg install asciidoc
Then you'll be able to generate the configure script:
$ autoreconf -if
The next step is to configure the build. On FreeBSD, the third-party PAM
modules are normally located in /usr/local/lib. When building from source,
you'll want to add:
--with-pammoddir=/usr/local/lib/
to the configure invocation. Finally, specify the correct manual pages
directory for FreeBSD:
--mandir=/usr/local/man
All in all, run the configure script:
$ ./configure \
--with-pammoddir=/usr/local/lib/ \
--mandir=/usr/local/man
Once it finishes, compile pam_hbac
$ make
And finally install it:
# make install
With these settings, pam_hbac will read its configuration from
/usr/local/etc/pam_hbac.conf.
Configuration
=============
You need to configure the module itself, then include the module in the
PAM stack. Please see the pam_hbac.conf(5) man page for the available
configuration options.
When the config file is created, put the following into /etc/pam.d/system
or just the particular PAM service you would like secure:
account required /usr/local/lib/pam_hbac.so ignore_unknown_user ignore_authinfo_unavail
Adding the option `ignore_unknown_user` is important on FreeBSD for the same
reason Linux systems normally use `pam_localuser.so` - pam_hbac looks up
accounts using NSS calls and failure to look up a user would deny access,
because no rules would apply. Additionally, pam_hbac returns PAM_UNKNOWN_USER
for root, which might be impractical if you decide to put the module into
the system-wide configuration.
Similarly, adding the `ignore_authinfo_unavail` option is handy in case
the LDAP server is not reachable. In that case, pam_hbac would return
PAM_IGNORE and proceed with the rest of the stack instead of a hard error.
Before making any changes to the PAM stack, please make sure to have a root
console open until you finish testing of pam_hbac setup, to make sure you
don't lock yourself out of the system!