MIT Kerberos on FreeBSD

Goal

The environment I am targeting is a bit different than most. It needs to have a bunch of client laptops that do not have any Kerberos configuration done on them. Kerberos only comes into play when the user connects via ssh to one of any FreeBSD machines. Basically I need to have central auth with enforced password changes every 90 days. It is pretty easy to configure the machine to auth against Kerberos for ssh using pam_krb5. The problem comes down to when you need to have password changes work properly when they expire. This document will outline how the configuration works.

Install

With an MIT KDC with -pwexpire set on a principal. The client will need the following:

security/pam_krb5

With the MIT option selected

security/openssh-portable

With the MIT option selected, the KERB_GSSAPI option is not required

Configuration

After installing them, disable the normal sshd and enable sshd from ports:

sshd_enable="NO"
openssh_enable="YES"

Configure the /usr/local/etc/ssh/sshd_config with the following two options:

UsePAM yes
ChallengeResponseAuthentication yes

Securely copy over the keytab from the KDC for the new machine and place the file in /etc/krb5.keytab

Configure the realm in /etc/krb5.conf, in this case my test env is LAB.COM:

[libdefaults]
        default_realm = LAB.COM
        dns_lookup_realm = false
        dns_lookup_kdc = false
	default_ccache_name = FILE:/home/%{username}/.krb5cc

[realms]
        LAB.COM = {
                kdc = kdc01.lab.com
                admin_server = kdc01.lab.com
        }

Configure the /etc/pam.d/ssh file for Kerberos auth:

#
# $FreeBSD: release/10.0.0/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		sufficient	/usr/local/lib/security/pam_krb5.so minimum_uid=1000 debug
auth		required	pam_unix.so		no_warn try_first_pass

# account
account		required	pam_nologin.so
#account	required	pam_krb5.so
account		required	pam_login_access.so
account		required	/usr/local/lib/security/pam_krb5.so minimum_uid=1000 debug
account		required	pam_unix.so

# session
#session	optional	pam_ssh.so		want_agent
session		required	pam_permit.so
session		optional	/usr/local/lib/security/pam_krb5.so minimum_uid=1000 debug

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	sufficient	/usr/local/lib/security/pam_krb5.so minimum_uid=1000 debug
#password	required	pam_unix.so		no_warn try_first_pass

Once this is all complete, everything should work including password change via ssh:

> ssh foo01
Password: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 
Warning: Your password will expire in 24 hours on Wed Jun  4 16:11:03 2014
Last login: Mon Jun  2 16:03:09 2014 from 192.168.127.1
FreeBSD 10.0-RELEASE-p3 (GENERIC) #0: Tue May 13 18:31:10 UTC 2014

Welcome to FreeBSD!

brd@foo01:~ %

Success!