blob: 0a9e882c8f245a6698abc6591c25636ab8a3bb76 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
#!/bin/sh
if [ "${idm_bootstrap:-}" = true ] || [ "${enable_idm:-}" = false ]; then
return 0
fi
# Create state dataset to persist keytabs across OS rebuilds.
create_dataset -o "mountpoint=${keytab_dir}" "${state_dataset}/keytabs"
# Install packages.
pkg install -y \
cyrus-sasl-gssapi \
nss-pam-ldapd-sasl \
openldap26-client \
pam_krb5 \
perl5 \
p5-perl-ldap \
p5-Authen-SASL
# Configure PAM/NSS integration.
install_file -m 0644 \
/etc/nsswitch.conf \
/etc/pam.d/sshd \
/etc/pam.d/sudo
install_template -m 0644 \
/etc/krb5.conf \
/etc/nscd.conf \
/usr/local/etc/openldap/ldap.conf \
/usr/local/etc/nslcd.conf
# Create ldap.conf symlink.
ln -snfv /usr/local/etc/openldap/ldap.conf /usr/local/etc/ldap.conf
# Create host object (if it doesn't exist).
ldap_add "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
objectClass: device
objectClass: domainRelatedObject
objectClass: ldapPublicKey
cn: ${BOXCONF_HOSTNAME}
associatedDomain: ${fqdn}
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
EOF
# Create A record.
ldap_add "dc=${BOXCONF_HOSTNAME},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${BOXCONF_HOSTNAME}
aRecord: ${BOXCONF_DEFAULT_IPV4}
associatedDomain: ${fqdn}
EOF
# Create PTR record.
rdns=$(ip2rdns "$BOXCONF_DEFAULT_IPV4")
ldap_add "dc=${rdns%%.*},dc=${rdns#*.},${dns_basedn}" <<EOF
objectClass: dNSDomain2
objectClass: domainRelatedObject
dc: ${rdns%%.*}
pTRRecord: ${fqdn}
associatedDomain: ${rdns}
EOF
# Create CNAME records.
for cname in ${cnames:-}; do
ldap_add "dc=${cname},dc=${domain},${dns_basedn}" <<EOF
objectClass: dNSDomain
objectClass: domainRelatedObject
dc: ${cname}
cNAMERecord: ${fqdn}
associatedDomain: ${cname}.${domain}
EOF
done
# Update attributes that may have changed.
ldap_modify "cn=${BOXCONF_HOSTNAME},${hosts_basedn}" <<EOF
replace: sshPublicKey
$(cat /usr/local/etc/ssh/ssh_host_*_key.pub | cut -d' ' -f-2 | sed 's/^/sshPublicKey: /')
-
replace: description
description: $(uname -mrs) ${BOXCONF_HOSTCLASS}
EOF
# Create host principal and keytab.
add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
ktadd -k "${keytab_dir}/host.keytab" "host/${fqdn}"
ln -snfv "${keytab_dir}/host.keytab" /etc/krb5.keytab
# Create local group for host keytab access.
add_group -g "$host_keytab_gid" "$host_keytab_groupname"
chgrp "$host_keytab_groupname" "${keytab_dir}/host.keytab"
chmod 640 "${keytab_dir}/host.keytab"
pw usermod -n "$nslcd_user" -G "$host_keytab_groupname"
# Create symlinks so host keytab can be used to aquire a TGT on-the-fly.
nslcd_uid=$(id -u "$nslcd_user")
install_directory -m 0755 \
/var/krb5 \
/var/krb5/user
install_directory -o "$nslcd_user" -m 0700 "/var/krb5/user/${nslcd_uid}"
ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${nslcd_uid}/client.keytab"
install_directory -o "$ssh_authzkeys_uid" -m 0700 "/var/krb5/user/${ssh_authzkeys_uid}"
ln -snfv "${keytab_dir}/host.keytab" "/var/krb5/user/${ssh_authzkeys_uid}/client.keytab"
install_directory -o root -m 0700 /var/krb5/user/0
ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/keytab
ln -snfv "${keytab_dir}/host.keytab" /var/krb5/user/0/client.keytab
# Copy IDM helper scripts for SSH.
install_file -m 0555 \
/usr/local/libexec/idm-ssh-known-hosts \
/usr/local/libexec/idm-ssh-authorized-keys
# Create user for running SSH AuthorizedKeysCommand.
add_user \
-u "$ssh_authzkeys_uid" \
-g "$host_keytab_groupname" \
-d /nonexistent \
"$ssh_authzkeys_username"
# Enable and start nslcd/nscd.
sysrc -v \
nslcd_enable=YES \
nscd_enable=YES
service nslcd restart
service nscd restart
|