aehostd -- Custom NSS/PAM demon
Intended Audience: System architects, developers and system administrators
Introduction
While you can integrate your Linux systems with any NSS/PAM service demon it is highly recommended to use aehostd, a custom NSS/PAM service implemented in Python 3.6+.
The following diagram illustrates the integration of aehostd into Linux login:
Specific features
Additionally to what you expect by such a service this custom client is has specific functionality for use with Æ-DIR:
-
Binds to Æ-DIR either with
- simple bind (short-DN form)
- SASL/EXTERNAL bind when using TLS client certs
- Host password initialization without admin credentials.
- Sends LDAP Who Am I? extended operation (see RFC 4352) to find the real DN of their own aeHost entry for determining aeSrvGroup membership.
-
Without specific client configuration it uses search filters for
searching user, group and sudoers entries based on the attributes found
in all relevant
aeSrvGroup
entries searched before:
- aeLoginGroups
- aeVisibleGroups
- aeVisibleSudoers
- When checking user's password it sends Session Tracking extended control along with the simple bind request with the IP address of the client system and the user name (see draft-wahl-ldap-session). This gives more valuable information in Æ-DIR slapd logs for auditing.
- Synchronization of SSH authorized keys to a configurable directory.
- Synchronization of sudoers content to a configurable file.
NSS maps
The following NSS maps are provided:
- passwd
- group
- hosts
Besides normal group map this demon returns some virtual groups to the calling application:
- Virtual groups for the individual gidNumber set in aeUser entries.
-
Virtual role groups based on
rights groups attributes
Attribute Group name GID aeVisibleGroups ae-vgrp-role-all 9000 aeLoginGroups ae-vgrp-role-log 9001 aeLogStoreGroups ae-vgrp-role-login 9002 aeSetupGroups ae-vgrp-role-setup 9003
Example use-cases for virtual role groups:
-
Allow all setup admins mapped
to virtual role POSIX group ae-vgrp-role-setup to use
command
su
with own password (see pam_wheel(8)). - Allow all users with log view right mapped to virtual role POSIX group ae-vgrp-role-log to read log files by simply setting normal group ownership and group permissions (no need to sync POSIX ACLs).
Initialization of host password
aehostd has a special feature which is very helpful for automated enrollment of hosts. It does not require administrative access to the machine before correct initialization and also does not require other agents besides aehostd to be installed on the host. Mainly it is based on a PAM authentication with host password.
Prerequisites:
Host gets installed with correctly configured short bind-DN based on the canonical hostname (FQDN) (usually in file /etc/aehostd.conf) but without a host password (usually in file /var/lib/aehostd/aehostd.pw).
Process steps:
-
A responsible
setup admin adds a new
aeHost entry for the canonical
hostname (FQDN) and sets a new random password for this entry
or just sets a new random password for an existing aeHost entry. - Setup admin connects via SSH to the host authenticating as special service account aehost-init with the new host password set before.
- pam_aedir receives the PAM authentication request from sshd.
- aehostd receives the PAM authentication request for the system user account aehost-init.
- The host password is validated by sending a simple bind request on behalf of the locally configured host bind DN.
- In case the host password is correct it is written to the aehostd password file (located by configuration option bindpwfile) in case the password stored therein is different.
Installation
NSS/PAM modules
The NSS and PAM front-end modules of Arthur de Jong's nss-pam-ldapd (aka nslcd) are used for querying the aehostd service via its Unix domain socket.
Pre-built binary packages
For some platforms there are ready-to-use binary packages available:
- Æ-DIR APT repositories for Debian and Ubuntu
- openSUSE build service: Package aehostd-modules for openSUSE and SLE
Compile from source
You can compile these modules with different compile-time parameters to prevent naming and package collisions with other standard OS packages. In the following example the modules are compiled with module name aedir and for using Unix domain socket /var/run/aehostd/aehostd.sock:
./configure \ --with-module-name=aedir \ --disable-nslcd --disable-pynslcd --disable-kerberos \ --libdir=/lib64 \ --with-pam-seclib-dir=/lib/security \ --disable-utils \ --with-nss-maps=passwd,group,hosts \ --with-nslcd-socket=/var/run/aehostd/aehostd.sock make make install
In /etc/nsswitch.conf you add the following lines:
passwd: files aedir group: files aedir
OS-specific source packages:
-
Containerized builds of Debian packages:
debian-aehostd-modules -
For building RedHat, CentOS, Fedora packages you can use file
redhat/SPECS/aehostd-modules.spec
ansible
Automated installation/configuration can be done with ansible role aehostd.
Command-line arguments
Some parameters can be set via command-line arguments:
- -h, --help
- Shows help message and exits.
- -f CFG_FILENAME, --config CFG_FILENAME
- Pathname of configuration file (default: /etc/aehostd.conf)
- -p PIDFILE, --pid PIDFILE
- Pathname of file for storing process-ID (PID) (default: /var/run/aehostd/aehostd.pid)
- -l LOG_LEVEL, --log-level LOG_LEVEL
- Level of log details (Integer), see Python's standard logging module. This argument overrides configuration option loglevel.
- -n, --no-fork
- Not used anymore since 1.2.0. Running in foreground is now the default because systemd is used almost everywhere.
- -c, --check
- Check whether demon is running. (default: False)
Configuration file
The following options can be set in the ini-style configuration file /etc/aehostd.conf (for syntax see Python docs -- Supported INI File Structure ).
Process
The following options specify general process parameters:
- uid
- Not used anymore since 1.2.0.
- gid
- Not used anymore since 1.2.0.
Logging & monitoring
The following options specify general process parameters:
- loglevel
-
Level of log details (Integer), see
Python's standard logging module -- Logging Levels
Default: 20 (INFO) - logsocket
-
Path name of syslog socket:
Setting this to a string enforces using syslog, empty string results
in default syslog socket /dev/log being used.
Default: None (sends log messages to stderr) - monitor
-
Interval (seconds) at which internal monitoring data is written to log.
Setting this to zero or negative value disables monitor logging completely.
Default: -1.0 (disabled)
Service socket
The following options specify handling of the Unix domain socket on which aehostd listens for NSS and PAM requests:
- socketpath
-
Path name of service socket where aehostd listens for incoming PAM and NSS requests.
This must match what PAM and NSS frontend modules expect.
Default: /var/run/aehostd/socket - sockettimeout
-
Timeout (seconds) of service socket
Default: 10.0 seconds - socketperms
-
Permissions (octal digits) set for service socket
Default: 0666 (world-readable and -writeable)
LDAP connection
Various LDAP connection parameters can be set and tuned.
At least one of uri_list or uri_pool must be specified, or both can be specified.
- uri_list
-
List of LDAP servers (LDAP URIs) to try first in exactly this order
no matter what is configured in uri_pool.
Default: empty list - uri_pool
-
List of LDAP servers (LDAP URIs) to try after all LDAP URIs defined with uri_list failed.
This list gets rotated based on hosts's canonical FQDN for client-side load-balancing.
Default: empty list - binddn
-
The bind-DN to use when binding as service to AE-DIR with simple bind.
Preferably the short bind-DN of the aeHost entry should be used.
Example:
binddn = host=server1.example.com,ou=ae-dir
- bindpwfile
-
The password file to use for simple bind as identity given in binddn.
Default: /var/lib/aehostd/aehostd.pw - timelimit
-
Timeout (seconds) used for all LDAP connections/operations
Default: 6.0 - cache_ttl
-
LDAPObject cache TTL used for short-time LDAP search cache.
Default: 6.0 - tls_cacertfile
-
Pathname of file containing trusted root CA certificate(s).
Default: None, which means use system-wide trust store. - tls_cert
- Pathname of file containing client certificate used for SASL/EXTERNAL bind
- tls_key
- Pathname of file containing client private key used for SASL/EXTERNAL bind
- conn_ttl
-
Time span (seconds) after which aehostd forcibly reconnects.
This is used to make sure that aehostd chooses a replica again
to make sure load keeps fairly balanced over all available replicas.
Default: 1800 (30 min.)
NSS maps
Parameters related to NSS maps:
- nss_ignore_users
-
Names of passwd entries to ignore
Default: All user names found in local file /etc/passwd - nss_ignore_uids
-
IDs of passwd entries to ignore
Default: All UIDs found in local file /etc/passwd - nss_ignore_groups
-
Names of group entries to ignore
Default: All user names found in local file /etc/group - nss_ignore_gids
-
IDs of group entries to ignore
Default: All UIDs found in local file /etc/group - refresh_sleep
-
Refresh time (seconds) for NSS passwd and group maps
Default: 60.0 (1 min) - nss_min_uid
-
Minimum numeric UID to handle in passwd requests
Default: 0 - nss_min_gid
-
Minimum numeric GID to handle in group requests
Default: 0 - nss_max_uid
-
Maximum numeric UID to handle in passwd requests
Default: 65500 - nss_max_gid
-
Maximum numeric GID to handle in group requests
Default: 65500 - netaddr_refresh
-
Refresh time (seconds) for hosts maps. Negative values disables hosts refresh.
Default: -1.0 (disabled) - netaddr_level
-
Levels (int) to go up for deriving the hosts map search base.
Default: 2 - memberattr
-
Which member attribute in aeGroup entries to use
Default: memberUid - vgroup_name_prefix
-
Name prefix used for virtual groups
Default: ae-vgrp- - vgroup_rgid_offset
-
Number offset (int) to be used for virtual groups
Default: 9000 - sshkeys_dir
-
Directory name where to store exported SSH authorized keys
Default: None (disabled) - aehost_vaccount
-
passwd string of virtual user account used to authenticate as own aeHost object
Default: aehost-init:x:9042:9042:AE-DIR virtual host init account:/tmp:/usr/sbin/nologin - gecos_tmpl
-
Template string for deriving GECOS field from e.g. user name
Default: AE-DIR user {username} - homedir_tmpl
-
Template string to use to derive homeDirectory from username and/or POSIX-IDs
instead of querying it via LDAP.
Field names which can be used in template string:
- username
- uid (for numeric POSIX-UID)
- gid (for numeric POSIX-GID)
Examples:
homedir_tmpl = /home/{user}
homedir_tmpl = /run/user/{uid}
- loginshell_default
-
Login shell used if LDAP attribute loginShell is not available.
Default: /usr/sbin/nologin - loginshell_override
- Login shell always used not matter what's in LDAP attribute loginShell.
sudo
Parameters related to synchronisation of security policy file SUDOERS(5) converted from aeSudoRule entries:
- sudoers_file
-
Pathname of sudoers export file to be picked up by privileged helper.
Setting this to an empty string disables the sudoers export.
Default: /var/lib/aehostd/ae-dir-sudoers-export - sudoers_includedir
-
Directory name where privileged helper stores sudoers export file
Default: /etc/sudoers.d - visudo_exec
-
Pathname of visudo
executable used to check sudoers syntax.
Default: /usr/sbin/visudo -
Pathname of cvtsudoers
executable used to convert LDAP entries (LDIF) to sudoers syntax.
Default: /usr/bin/cvtsudoers
PAM
Parameters used by the PAM handler:
- pam_authc_cache_ttl
-
Cache TTL (seconds) of PAM authc results
Default: -1 (disabled) - pam_authz_search
-
LDAP filter template used for checking authorization of a user
Default: None (disabled) - pam_passmod_deny_msg
-
Error message sent to user about password change disabled/denied
Default: None (no details)