Alwina's open source efforts

|

Specialized in FreeBSD and CentOS

Secure fileserver with LDAP

May 15th, 2010 at 13:39

Introduction
This article describes how to setup a secure file server on a server running FreeBSD. This version is based on FreeBSD 7.3. It is likely to work on newer version without too much difficulty.

This walkthrough will setup a very secure file server that will root your users to their home directories. This will prevent users browsing all over your server. The file server handles the well supported and secure sftp service. Other services are not provided. We will show how to use an LDAP directory service for authentication.

Before you begin

1. Standard installation of FreeBSD
This articles asumes you have a working install of FreeBSD 7.3 for i386 logged in as root with the ports collection installed. You can use sysinstall, portsnap or similar to install the ports collections. A standard installation of FreeBSD is described in this article.

2. This article is based on an LDAP authentication. If you do not have an LDAP server up and running you could use this article to setup a standard openLDAP server.

3. Update /usr/ports

# portsnap fetch
# portsnap extract

Procedure

1. Install ssh2 from the ports

For improved security we take advantage of new functionality offered in this software.

# cd /usr/ports/security/ssh2
# make install clean -DBATCH

2. Adapt current sshd server (optional)

The file server we install will use the standard port 22. If this port is already active with an sshd-instance for remote login. We need to adapt the settings.

# vi /etc/ssh/sshd_config

Change the line:

#Port 22

so the line reads

Port 5022

So the “old” sshd server will listen to port 5022 for remote logins and will not interfere with the secure file server.

3. Restart sshd

# /etc/rc.d/sshd restart

4. Configure sshd2

# cd /usr/local/etc/ssh2
# cp sshd2_config.example sshd2_config
# vi sshd2_config

Remove the # from the line

#AllowedAuthentications hostbased, publickey,keyboard-interactive

so the line reads

AllowedAuthentications hostbased, publickey,keyboard-interactive

Add the lines:

AuthKbdInt.Optional        pam
ChRootGroups                .*

5. Edit /etc/rc.conf

Enable the sshd2 server.

# vi /etc/rc.conf

Add the line:

sshd2_enable=”YES”

6. Start the sshd2-server

# /usr/local/etc/rc.d/sshd2 start

Now your sftp server should be up and running.
You should be able to connect to this machine with

# sftp <user>@<ipnumber of your fileserver>

You are not yet able to connect, but it should prompt for a user name and a password.

7. Install openldap24-client, pam_ldap and nss_ldap

Now we proceed with getting the LDAP authentication in place. The software will be installed from the ports.

# cd /usr/ports/net/openldap24-client
# make install clean -DBATCH
# cd /usr/ports/security/pam_ldap
# make install clean -DBATCH
# ln -s /usr/local/lib/pam_ldap.so /usr/lib
# cd /usr/ports/net/nss_ldap
# make install clean -DBATCH

8. Create one ldap.conf file

The software requires several vesions of ldap-configuration files. To make life easier we simulate with symbolic links just one big configuration files. This is a lot easier to maintain and debug.

# cd /usr/local/etc
# ln -s /usr/local/etc/openldap/ldap.conf .
# ln -s /usr/local/etc/openldap/ldap.conf nss_ldap.conf

9. Edit the configuration file

# vi /usr/local/etc/ldap.conf

Change the file to create a file as shown:

Make sure you install the CA-certificate of the LDAP-server in the directory /usr/share/openlap (or another directory of choice).

The setting is based on the LDAP-schema as described in my article OpenLDAP server on FreeBSD. If you use another configuration you should adjust the configuration accordingly.

10. Install pam_mkhomedir

We want the automatic home directory creation at first access for our users. We need to install the corresponding software from the ports.

# cd /user/ports/security/pam_mkhomedir
# make install clean -DBATCH
# ln -s /usr/local/lib/pam_mkhomedir.so /usr/lib

The latter step is needed because we do not want the specify the complete path in the pam configuration files.

11. Configure PAM using LDAP for sshd2

# cp -pr /etc/pam.d/sshd etc/pam.d/sshd2
# vi /etc/pam.d/sshd2

Adapt the file so it looks like this (or similar):

12. Configure NSS using LDAP

# vi /etc/nsswitch.conf

Change the line with group: compat and change the line with passwd: compat.
After change the file should look like this (or similar):

13. Test the fileserver

Try the following command on a client:

sftp <user>@<ipnumber of your fileserver>

It should prompt for the applicable password. Now you should be able to login and transfer files. Users are restricted  to their home directories and can only use the sftp protocol and securily transfer files. Users are not allowed to remotely login.

Congratulations!! Your secure fileserver with LDAP authentication is up and running.

Tags: , , , , , , , , , ,

2 Responses to “Secure fileserver with LDAP”

  1. electric water kettle girl Says:

    Interesting article. Were did you get all of the information from? Anyway thank you for this great post!

  2. hard drive Says:

    Great blog. I have myself started blogging and I like to keep up with the technology news and trends and so the basic theme of my blog is technology reviews and trends. Please do visit http://www.techsplosh.com