finish up idm_server hostclass

author: Cullum Smith <cullum@sacredheartsc.com> 2024-09-24 22:35:45 -0400
committer: Cullum Smith <cullum@sacredheartsc.com> 2024-09-24 22:35:45 -0400
commit: 6e00c9e8137aae1fb8dd568a62d9fb5fc4a277cb (patch)
tree: 9279f7a330affbb5da6a1f147739b8dfd92d4a19 /files/etc
parent: d9c18b3fcb9b036b6cdf69397828b59ab4c53091 (diff)
download: infrastructure-6e00c9e8137aae1fb8dd568a62d9fb5fc4a277cb.tar.gz
13 files changed, 83 insertions, 40 deletions
diff --git a/files/etc/krb5.conf.idm_server b/files/etc/krb5.conf.idm_server
new file mode 100644
index 0000000..422d0e4
--- /dev/null
+++ b/files/etc/krb5.conf.idm_server
@@ -0,0 +1,27 @@
+[libdefaults]
+  default_realm = ${realm}
+  dns_lookup_kdc = false
+  dns_lookup_realm = false
+  allow_weak_crypto = false
+  permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+  verify_ap_req_nofail = true
+
+[appdefaults]
+  pam = {
+    minimum_uid = 1000
+    ccache = FILE:/tmp/krb5cc_%u_XXXXXX
+    forwardable = true
+    ticket_lifetime = ${krb5_ticket_lifetime}
+    renew_lifetime = ${krb5_renew_lifetime}
+  }
+
+[realms]
+  ${realm} = {
+    kdc = ${fqdn}
+    admin_server = ${fqdn}
+    default_domain = ${domain}
+  }
+
+[domain_realm]
+  .${domain} = ${realm}
+  ${domain}  = ${realm}
diff --git a/files/etc/nscd.conf.freebsd b/files/etc/nscd.conf.freebsd
new file mode 100644
index 0000000..9105cb5
--- /dev/null
+++ b/files/etc/nscd.conf.freebsd
@@ -0,0 +1,27 @@
+enable-cache           passwd     yes
+positive-time-to-live  passwd     ${nscd_ttl}
+negative-time-to-live  passwd     ${nscd_negative_ttl}
+
+enable-cache           group      yes
+positive-time-to-live  group      ${nscd_ttl}
+negative-time-to-live  group      ${nscd_negative_ttl}
+
+enable-cache           hosts      yes
+positive-time-to-live  hosts      ${nscd_ttl}
+negative-time-to-live  hosts      ${nscd_negative_ttl}
+
+enable-cache           services   yes
+positive-time-to-live  services   ${nscd_ttl}
+negative-time-to-live  services   ${nscd_negative_ttl}
+
+enable-cache           protocols  yes
+positive-time-to-live  protocols  ${nscd_ttl}
+negative-time-to-live  protocols  ${nscd_negative_ttl}
+
+enable-cache           rpc        yes
+positive-time-to-live  rpc        ${nscd_ttl}
+negative-time-to-live  rpc        ${nscd_negative_ttl}
+
+enable-cache           networks   yes
+positive-time-to-live  networks   ${nscd_ttl}
+negative-time-to-live  networks   ${nscd_negative_ttl}
diff --git a/files/etc/nsswitch.conf.freebsd b/files/etc/nsswitch.conf.freebsd
new file mode 100644
index 0000000..19c9f22
--- /dev/null
+++ b/files/etc/nsswitch.conf.freebsd
@@ -0,0 +1,10 @@
+group: files cache ldap
+hosts: files cache dns
+netgroup: files
+networks: files
+passwd: files cache ldap
+shells: files
+services: files
+protocols: files
+rpc: files
+sudoers: files ldap
diff --git a/files/etc/pam.d/sshd.freebsd b/files/etc/pam.d/sshd.freebsd
new file mode 100644
index 0000000..57b281b
--- /dev/null
+++ b/files/etc/pam.d/sshd.freebsd
@@ -0,0 +1,17 @@
+# auth
+auth    sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
+auth    required    pam_unix.so no_warn try_first_pass
+
+# account
+account   required  pam_nologin.so
+account   required  /usr/local/lib/security/pam_krb5.so
+account   required  pam_login_access.so
+account   required  pam_unix.so
+
+# session
+session   required  /usr/local/lib/security/pam_krb5.so
+session   required  pam_permit.so
+
+# password
+password  sufficient  /usr/local/lib/security/pam_krb5.so try_first_pass
+password  required    pam_unix.so no_warn try_first_pass
diff --git a/files/etc/resolv.conf.common b/files/etc/resolv.conf.common
index 24c2044..475ea9d 100644
--- a/files/etc/resolv.conf.common
+++ b/files/etc/resolv.conf.common
@@ -1,3 +1,2 @@
 $(printf 'nameserver %s\n' $resolvers)
 domain ${domain}
-options timeout:1
diff --git a/files/etc/resolv.conf.idm_server b/files/etc/resolv.conf.idm_server
new file mode 100644
index 0000000..9a87112
--- /dev/null
+++ b/files/etc/resolv.conf.idm_server
@@ -0,0 +1,2 @@
+nameserver 127.0.0.1
+domain ${domain}
diff --git a/files/etc/ssh/ssh_config.freebsd b/files/etc/ssh/ssh_config.freebsd
deleted file mode 100644
index 9be624a..0000000
--- a/files/etc/ssh/ssh_config.freebsd
+++ /dev/null
@@ -1,9 +0,0 @@
-CanonicalizeHostname always
-CanonicalizeMaxDots 0
-CanonicalDomains ${domain}
-CanonicalizePermittedCNAMEs *.${domain}:*.${domain}
-KnownHostsCommand /usr/local/libexec/idm-ssh-known-hosts %H
-
-Host *.${domain}
-  GSSAPIAuthentication yes
-  GSSAPIDelegateCredentials yes
diff --git a/files/etc/ssh/ssh_config.freebsd_hypervisor b/files/etc/ssh/ssh_config.freebsd_hypervisor
deleted file mode 120000
index 338cdba..0000000
--- a/files/etc/ssh/ssh_config.freebsd_hypervisor
+++ /dev/null
@@ -1 +0,0 @@
-ssh_config.no_idm
-\ No newline at end of file
diff --git a/files/etc/ssh/ssh_config.no_idm b/files/etc/ssh/ssh_config.no_idm
deleted file mode 100644
index 97f3ba8..0000000
--- a/files/etc/ssh/ssh_config.no_idm
+++ /dev/null
@@ -1 +0,0 @@
-# Intentionally empty.
diff --git a/files/etc/ssh/ssh_config.roadwarrior_laptop b/files/etc/ssh/ssh_config.roadwarrior_laptop
deleted file mode 120000
index 338cdba..0000000
--- a/files/etc/ssh/ssh_config.roadwarrior_laptop
+++ /dev/null
@@ -1 +0,0 @@
-ssh_config.no_idm
-\ No newline at end of file
diff --git a/files/etc/ssh/sshd_config.freebsd b/files/etc/ssh/sshd_config.freebsd
deleted file mode 100644
index c933741..0000000
--- a/files/etc/ssh/sshd_config.freebsd
+++ /dev/null
@@ -1,16 +0,0 @@
-Include /etc/ssh/sshd_config.d/*.conf
-
-PermitRootLogin prohibit-password
-AuthorizedKeysFile .ssh/authorized_keys
-AuthorizedKeysCommand /usr/local/libexec/idm-ssh-authorized-keys %u
-AuthorizedKeysCommandUser ${ssh_authzkeys_user}
-
-KbdInteractiveAuthentication no
-PasswordAuthentication yes
-
-GSSAPIAuthentication yes
-GSSAPICleanupCredentials yes
-UsePAM yes
-UseDNS no
-
-Subsystem	sftp	/usr/libexec/sftp-server
diff --git a/files/etc/ssh/sshd_config.freebsd_hypervisor b/files/etc/ssh/sshd_config.freebsd_hypervisor
deleted file mode 120000
index 355377d..0000000
--- a/files/etc/ssh/sshd_config.freebsd_hypervisor
+++ /dev/null
@@ -1 +0,0 @@
-sshd_config.no_idm
-\ No newline at end of file
diff --git a/files/etc/ssh/sshd_config.no_idm b/files/etc/ssh/sshd_config.no_idm
deleted file mode 100644
index f38720c..0000000
--- a/files/etc/ssh/sshd_config.no_idm
+++ /dev/null
@@ -1,10 +0,0 @@
-PermitRootLogin prohibit-password
-AuthorizedKeysFile	.ssh/authorized_keys
-
-KbdInteractiveAuthentication no
-PasswordAuthentication yes
-
-UsePAM yes
-UseDNS no
-
-Subsystem	sftp	/usr/libexec/sftp-server
author	Cullum Smith <cullum@sacredheartsc.com>	2024-09-24 22:35:45 -0400
committer	Cullum Smith <cullum@sacredheartsc.com>	2024-09-24 22:35:45 -0400
commit	6e00c9e8137aae1fb8dd568a62d9fb5fc4a277cb (patch)
tree	9279f7a330affbb5da6a1f147739b8dfd92d4a19 /files/etc
parent	d9c18b3fcb9b036b6cdf69397828b59ab4c53091 (diff)
download	infrastructure-6e00c9e8137aae1fb8dd568a62d9fb5fc4a277cb.tar.gz