Foxpass caching on Linux with nsscache
Instructions on how to set up nsscache to locally cache all user data and ssh keys. Does not bring over passwords, so make sure you set up password-less sudo.
1. Set up a LDAP binder user for nsscache.
Go to this page and click "Add LDAP Binder". Enter username nsscache, and make a note of the generated password.
2. Update apt-get
sudo apt-get update
3. Install libnss-cache
And a few other things we'll need
sudo apt-get install -y libnss-cache wget unzip
4. Remove outdated nsscache
libnss-cache will bring nsscache with it, but it's too old to be useful. Let's remove it.
sudo apt-get remove -y nsscache
5. Download and install updated nsscache
Let's grab the latest from github, unzip it, and install it
wget https://github.com/google/nsscache/archive/master.zip
unzip master.zip
cd nsscache-master
sudo python setup.py install
sudo cp examples/authorized-keys-command.py /usr/sbin
6. Configure nsscache
sudo chmod 0600 /etc/nsscache.conf
sudo vi /etc/nsscache.conf
Set contents of nsscache.conf to the below. Make sure you replace dc=EXAMPLE,dc=COM with your own base DN.
[DEFAULT]
source = ldap
cache = files
maps = passwd, group, shadow, sshkey
timestamp_dir = /var/lib/nsscache
ldap_uri = ldaps://ldap.foxpass.com
ldap_base = ou=people,dc=EXAMPLE,dc=COM
ldap_filter = (objectclass=posixAccount)
ldap_bind_dn = "cn=nsscache,dc=EXAMPLE,dc=COM"
ldap_bind_password = "PASSWORD"
ldap_tls_require_cert = 'demand'
ldap_tls_cacertfile = '/etc/ssl/certs/ca-certificates.crt'
files_dir = /etc
files_cache_filename_suffix = cache
[group]
ldap_base = ou=groups,dc=EXAMPLE,dc=COM
ldap_filter = (objectclass=posixGroup)
7. Configure nsswitch.conf
Edit these lines of /etc/nsswitch.conf (leave the rest untouched)
passwd: cache compat
group: cache compat
shadow: cache compat
8. Configure sshd
Edit /etc/ssh/sshd_config and add these lines
AuthorizedKeysCommand /usr/sbin/authorized-keys-command.py
#AuthorizedKeysCommandUser nobody
Then restart sshd
sudo service ssh restart
9. Run it manually
Run it manually to make sure everything works. It'll complain if something is wrong.
sudo /usr/local/bin/nsscache update --full
10. Set up cron
sudo vi /etc/cron.d/nsscache
Set contents to:
SHELL=/bin/sh
MAILTO=root
# update the cache 15 minutely
*/15 * * * * root /usr/local/bin/nsscache update --sleep `perl -e 'print int(rand(900))'`
# perform a full update once a day.
0 8 * * * root /usr/local/bin/nsscache update --full --sleep `perl -e 'print int(rand(7200))'`
Updated about 1 year ago