Using FreeIPA with FreeBSD

Intro

Features Provided

The instructions below will enable System Security Services Daemon (SSSD), which provides the mechanism by which several core services will integrate with FreeIPA.

  • Name Service Switch (NSS): retrieve user and group information from FreeIPA.
  • Sudo: centrally manage sudoers policies in FreeIPA.
  • Pluggable Authentication Modules (PAM): enable PAM to authenticate to FreeIPA.
  • OpenSSH: Authenticate using Kerberos tickets issued by FreeIPA

Kerberos Background

Kerberos was originally developed in 1988 at the Massachusetts Institute of Technology. Because it was developed in the United States, it fell under the United States Munitions List of the International Traffic in Arms Regulations (ITAR), and later the U.S. Export Administration Regulations (EAR). These laws classified encryption software as military technology and regulated its export to other countries.

Another Kerberos implementation, Heimdal, was developed outside of the United States specifically to avoid these export regulations. It was created in 1997 at the Royal Institute of Technology in Stockholm, Sweden.

In 1995, Daniel Bernstein, with the help of the EFF, sued the U.S. State Department over the right to distribute an encryption algorithm he had written as a Ph.D. candidate at U.C. Berkeley. Bernstein won the case and U.S. government was forced to relax export regulations on open-source software in October, 2022.

The U.S. government still prohibits export of MIT Kerberos to Cuba, Iran, North Korea, and Syria. So, if you live in one of those places, this guide is not for you.

Unfortunately, this history has left us with two competing Kerberos implementations: MIT and Heimdal.

Kerberos in FreeBSD

The Kerberos support in FreeBSD can be difficult to make sense of. There are three implementations to choose from:

  • Base-system Kerberos: This is based on Heimdal 1.5.2, which was released in 2012
  • security/heimdal port: This is a port based on the latest version of Heimdal Kerberos
  • security/krb5 port: This is a port based on the latest version of MIT Kerberos

We can see that FreeBSD includes a very old version of Heimdal Kerberos, but FreeIPA includes a new version of MIT Kerberos. We will enable on MIT Kerberos on FreeBSD to make them work together.

NOTE: There seems to be ongoing work to replace the base-system Heimdal Kerberos with MIT Kerberos, which would make all of this much simpler.

FreeIPA Server Configuration

There is an absolutely critical step that I have not found mentioned anywhere else on the internet: We have to change the FreeIPA configuration to be compatible with the FreeBSD base-system Kerberos. If you have given up hope getting Kerberos-authenticated SSH to work on FreeBSD this is the reason.

FreeIPA Crypto Policy

Remember that the base system includes a Heimdal Kerberos 1.5.2, released in 2012. But FreeIPA uses MIT Kerberos 1.21.1, released in 2023. Between those dates (in 2016), RFC8009 was created, which introduces two new encryption algorithms:

etype encryption type
19 aes128-cts-hmac-sha256-128
20 aes256-cts-hmac-sha384-192

Because they are newer and more secure, FreeIPA issues them by default but FreeBSD does not support them. To resolve this, we must remove them from the crypto policy on the FreeIPA server(s).

Edit the permitted_enctypes directive in /usr/share/crypto-policies/DEFAULT to contain only the older encryption types:

[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96

Restart FreeIPA to apply the change.

IMPORTANT: These edits will be overwritten every time the FreeIPA packages are updated, so don’t forget to reapply these changes, or Kerberos will suddenly stop working on your FreeBSD clients.

FreeBSD Client Installation

Getting FreeBSD to work with FreeIPA requires a few steps:

  1. Install custom ports
  2. Install Kerberos keytab
  3. Configure system services:
    • Name Service Switch (NSS)
    • Pluggable Authentication Modules (PAM)
    • OpenLDAP
    • System Security Services Daemon (SSSD)
    • OpenSSH

Custom Ports Options

There are a handful of ports that require custom options to work with FreeIPA. Most of these changes are to enable integration with MIT Kerberos, rather than one of the other Kerberos implementations.

  • net/openldap26-client
    • Set the GSSAPI option
  • security/cyrus-sasl2-gssapi
    • Set the GSSAPI_MIT option
    • Unset the GSSAPI_BASE option
    • Unset the GSSAPI_HEIMDAL option

The ports above are the only ones required for a FreeIPA client, but you may want to enable other ports for MIT Kerberos authentication. For example:

  • mail/dovecot
    • Set the GSSAPI_MIT option
    • Unset the GSSAPI_NONE option
    • Unset the GSSAPI_BASE option
    • Unset the GSSAPI_HEIMDAL option
  • mail/postfix
    • Set the SASLKMIT option

Using the Paragon repository

For anyone who does not want to build their own ports, Paragon Cloud Services hosts a repository that contains the packages above, built with the options above, and makes it publicly available.

https://repo.paragoncloudservices.com/freebsd/

NOTE: This repository does not include all FreeBSD ports - only those required for FreeIPA and their dependencies. You will need to keep the FreeBSD repository enabled for other ports.

To enable this repository, create a file called /usr/local/etc/pkg/repos/Paragon.conf with the following content:

Paragon: {
  url: "http://repo.paragoncloudservices.com/freebsd/${ABI}/quarterly/freeipa",
  mirror_type: "none",
  signature_type: "none",
  priority: 10,
  enabled: yes
}

Installation

Install the following packages from the Paragon repository, your own custom repository, or ports:

  • security/cyrus-sasl
  • security/cyrus-sasl-gssapi

To install from the Paragon repository:

$ sudo pkg install -r Paragon cyrus-sasl cyrus-sasl-gssapi

Also install these packages from the FreeBSD repository:

  • security/sssd2
  • security/sudo-sssd

To install from the FreeBSD repository:

$ sudo pkg install -r FreeBSD sssd2 sudo-sssd

Installing the FreeIPA certificate

  1. Download the FreeIPA certificate.
install -d -o root -g wheel -m 0755 /usr/local/etc/ssl/certs

fetch -o /usr/local/etc/ssl/certs/ipa.crt http://<your-ipa-server>/ipa/config/ca.crt
  1. Run certctl rehash to load the certficate into the system’s trust archors.

Install Kerberos Keytab

  1. On the FreeIPA server:
ipa host-add --force <fqdn>

ipa-getkeytab -p host/<fqdn>@EXAMPLE.ORG -k /tmp/<hostname>.keytab

  1. Copy /tmp/<hostname>.keytab from the FreeIPA server to the FreeBSD client at the following path: /etc/krb5.keytab.

  2. Set the owner and permissions of /etc/krb5.keytab

chown root:wheel /etc/krb5.keytab

chmod 0600 /etc/krb5.keytab

Configure OpenLDAP

  1. Configure /usr/local/etc/openldap/ldap.conf as follows:
BASE             dc=example,dc=org
TLS_CACERTDIR    /etc/ssl/certs
URI              ldaps://ldap.example.org

Configure SSSD

  1. Modify /usr/local/etc/sssd/sssd.conf according to this example:
[domain/example.org]
cache_credentials = True
krb5_store_password_if_offline = True
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
sudo_provider = ipa
ipa_server = _srv_
ldap_tls_cacert = /usr/local/etc/ssl/certs/ipa.crt
ipa_automount_location = default
krb5_keytab = /etc/krb5.keytab

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = example.org

[nss]
filter_users = root,smash
homedir_substring = /home

[pam]

[sudo]

[ssh]
  1. Enable and start SSSD
service sssd enable
service sssd start

Configure Name Service Switch (NSS)

  1. Configure /etc/nsswitch.conf as follows:
group: files sss
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files sss
passwd_compat: nis
shells: files
services: files sss
services_compat: nis
protocols: files
rpc: files
sudoers: files sss
netgroup: files
automount:  files sss

Configure Pluggable Authentication Module (PAM)

To configure PAM, there is no need to modify the distributed configuration files. Instead, override them by placing your custom configuration in /usr/local/etc/pamd.

  1. Configure /usr/local/etc/pam.d/sshd as follows:
#
# PAM configuration for the "sshd" service
#

# auth
auth          sufficient     pam_krb5.so              no_warn try_first_pass
auth          sufficient     pam_sss.so               use_first_pass
auth          required       pam_unix.so              no_warn try_first_pass

# account
account       required       pam_nologin.so
account       required       pam_login_access.so
account       required       pam_unix.so
account       required       pam_sss.so               ignore_unknown_user ignore_authinfo_unavail

# session
session       required       pam_permit.so
session       required       pam_mkhomedir.so         mode=0700
session       optional       pam_sss.so

# password
password      sufficient     pam_sss.so               use_authtok
password      required       pam_unix.so              no_warn try_first_pass
  1. Configure /usr/local/etc/pam.d/service as follows:
#
# System-wide defaults
#

# auth
auth          sufficient     pam_krb5.so              no_warn try_first_pass
auth          sufficient     pam_sss.so               use_first_pass
auth          required       pam_unix.so              no_warn try_first_pass nullok

# account
account       required       pam_login_access.so
account       required       pam_sss.so               ignore_unknown_user ignore_authinfo_unavail
account       required       pam_unix.so

# session
session       required       pam_lastlog.so           no_fail
session       required       pam_mkhomedir.so         mode=0700

# password
password      sufficient     pam_krb5.so              no_warn try_first_pass
password      sufficient     pam_sss.so               use_authtok
password      required       pam_unix.so              no_warn try_first_pass

Configure SSH server

To enable authentication using Kerberos tickets, set this option in /etc/ssh/sshd_config:

GSSAPIAuthentication yes

If you want to support authentication using SSH keys distributed by FreeIPA, set these options:

PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody

To disable interactive password authentication completely, set these options as well:

PasswordAuthentication no
KerberosAuthentication no
ChallengeResponseAuthentication no
UsePAM no

I know it doesn’t make any sense that we just spent all that time seting up Kerberos and PAM, only to disable those settings. Trust me - those settings mean something else and GSSAPI (enabled above) is what we want for ticket-based authentaction.

Configure SSH client (optional)

To authenticate over SSH using Kerberos:

  1. Obtain an Ticket Granting ticket with kinit
  2. Run ssh with the -K option. You may also want to disable public key authentication.
ssh -K -o PubkeyAuthentication=no myserver.example.org

To enable this behavior without having to specifiy those options every time, the following statements can be added to the client configuration (either /etc/ssh/ssh_config or ~/.ssh/config):

CanonicalizeHostname yes
CanonicalDomains example.org

Host *.example.org
PubkeyAuthentication no
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes