Foxpass caching on Linux with nsscache

Instructions on how to set up nsscache to locally cache all user data and ssh keys. Does not bring over passwords, so make sure you set up password-less sudo.

1. Set up a LDAP binder user for nsscache.

Go to this page and click "Add LDAP Binder". Enter username nsscache, and make a note of the generated password.

2. Update apt-get

sudo apt-get update

3. Install libnss-cache

And a few other things we'll need

sudo apt-get install -y libnss-cache wget unzip

4. Remove outdated nsscache

libnss-cache will bring nsscache with it, but it's too old to be useful. Let's remove it.

sudo apt-get remove -y nsscache

5. Download and install updated nsscache

Let's grab the latest from github, unzip it, and install it

cd nsscache-master
sudo python install
sudo cp examples/ /usr/sbin

6. Configure nsscache

sudo chmod 0600 /etc/nsscache.conf
sudo vi /etc/nsscache.conf

Set contents of nsscache.conf to the below. Make sure you replace dc=EXAMPLE,dc=COM with your own base DN.

source = ldap
cache = files
maps = passwd, group, shadow, sshkey
timestamp_dir = /var/lib/nsscache
ldap_uri = ldaps://
ldap_base = ou=people,dc=EXAMPLE,dc=COM
ldap_filter = (objectclass=posixAccount)
ldap_bind_dn = "cn=nsscache,dc=EXAMPLE,dc=COM"
ldap_bind_password = "PASSWORD"
ldap_tls_require_cert = 'demand'
ldap_tls_cacertfile = '/etc/ssl/certs/ca-certificates.crt'

files_dir = /etc
files_cache_filename_suffix = cache


ldap_base = ou=groups,dc=EXAMPLE,dc=COM
ldap_filter = (objectclass=posixGroup)

7. Configure nsswitch.conf

Edit these lines of /etc/nsswitch.conf (leave the rest untouched)

passwd:         cache compat
group:          cache compat
shadow:         cache compat

8. Configure sshd

Edit /etc/ssh/sshd_config and add these lines

AuthorizedKeysCommand /usr/sbin/
#AuthorizedKeysCommandUser nobody

Then restart sshd

sudo service ssh restart

9. Run it manually

Run it manually to make sure everything works. It'll complain if something is wrong.

sudo /usr/local/bin/nsscache update --full

10. Set up cron

sudo vi /etc/cron.d/nsscache

Set contents to:


# update the cache 15 minutely
*/15 * * * * root /usr/local/bin/nsscache update --sleep `perl -e 'print int(rand(900))'`

# perform a full update once a day.
0 8 * * * root /usr/local/bin/nsscache update --full --sleep `perl -e 'print int(rand(7200))'`