X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=ConfiguringRHEL.mdwn;h=70d8ffd18b54e8e5c478c324dc8e4f229f62fbca;hb=6fd9dca5fe0a720624f6c8d1d4eec34147aef502;hp=5dc1b9a2e89d4614be7a1843858859c904e2775c;hpb=3dbbe8e15cdab8f5f311b19d60a659f89c391b68;p=devwiki.git
diff --git a/ConfiguringRHEL.mdwn b/ConfiguringRHEL.mdwn
index 5dc1b9a..70d8ffd 100644
--- a/ConfiguringRHEL.mdwn
+++ b/ConfiguringRHEL.mdwn
@@ -1,6 +1,6 @@
-First we need to install and configure moonshot, its dependencies, and a local RADIUS server for testing
-In a real deployment, a local RADIUS server is not needed, however it simplifies testing if one is available
-__gss-server__ and __gss-client__ are standard Kerberos diagnostic tools, which give us a lot of information that is helpful for debugging
+First we need to install and configure moonshot, its dependencies, and a local RADIUS server for testing
+In a real deployment, a local RADIUS server is not needed, however it simplifies testing if one is available
+__gss-server__ and __gss-client__ are standard Kerberos diagnostic tools, which give us a lot of information that is helpful for debugging
Again, in a real deployment these are not required, but help with testing
This guide walks through deploying the client, IdP and SP portions of moonshot - depending on your target, some steps may be inappropriate.
@@ -10,50 +10,17 @@ This guide walks through deploying the client, IdP and SP portions of moonshot -
__LD_LIBRARY_PATH__ has to have _/opt/moonshot/lib64/_ and _/usr/lib64/freeradius_ added to it.
The best way to do this is create a file at _/etc/profile.d/moonshot.sh_, with the following:
- if [ [ $LD_LIBRARY_PATH != */opt/moonshot/lib64/:/usr/lib64/freeradius/* ] ]
+ if \[[ $LD_LIBRARY_PATH != */opt/moonshot/lib64/:/usr/lib64/freeradius/* ]]
then
export LD_LIBRARY_PATH=/opt/moonshot/lib64/:/usr/lib64/freeradius/:$LD_LIBRARY_PATH
fi
-This is required as moonshot currently stores its modified libraries separately to the main system ones to avoid conflicts. This should not be necessary in the future.
-
-
-### SELinux set to permissive
-Moonshot has a couple of outstanding issues regarding proper labeling of _SELinux_ contexts, causing it to fail when _SELinux_ is enforcing. This should be resolved soon - change the setting in _/etc/sysconfig/selinux_, or in _/etc/rc.local_:
-
- echo 0 > /selinux/enforce
-
-### EPEL
-Moonshot needs __EPEL__ for a few extra libraries (as pulling them from a semi-supported repository is preferable to repackaging).
-The simplest way to install EPEL is:
-
- yum install epel-release
-
-## Moonshot Packages
-The RPM's and SRPM's for moonshot are currently hosted at [http://yum.dev.ja.net] - this may change (and in fact, is quite likely to change) in the future. The packages are currently unsigned.
-
-
-
-First we need to install and configure moonshot, its dependencies, and a local RADIUS server for testing
-In a real deployment, a local RADIUS server is not needed, however it simplifies testing if one is available
-__gss-server__ and __gss-client__ are standard Kerberos diagnostic tools, which give us a lot of information that is helpful for debugging
-Again, in a real deployment these are not required, but help with testing
+After, either restart your shell session, or:
-This guide walks through deploying the client, IdP and SP portions of moonshot - depending on your target, some steps may be inappropriate.
-
-## Environment
-### LD_LIBRARY_PATH
-__LD_LIBRARY_PATH__ has to have _/opt/moonshot/lib64/_ and _/usr/lib64/freeradius_ added to it.
-The best way to do this is create a file at _/etc/profile.d/moonshot.sh_, with the following:
-
- if [ [ $LD_LIBRARY_PATH != */opt/moonshot/lib64/:/usr/lib64/freeradius/* ] ]
- then
- export LD_LIBRARY_PATH=/opt/moonshot/lib64/:/usr/lib64/freeradius/:$LD_LIBRARY_PATH
- fi
+ source /etc/profile.d/moonshot.sh
This is required as moonshot currently stores its modified libraries separately to the main system ones to avoid conflicts. This should not be necessary in the future.
-
### SELinux set to permissive
Moonshot has a couple of outstanding issues regarding proper labeling of _SELinux_ contexts, causing it to fail when _SELinux_ is enforcing. This should be resolved soon - change the setting in _/etc/sysconfig/selinux_, or in _/etc/rc.local_:
@@ -63,6 +30,7 @@ Moonshot has a couple of outstanding issues regarding proper labeling of _SELinu
Moonshot needs __EPEL__ for a few extra libraries (as pulling them from a semi-supported repository is preferable to repackaging).
The simplest way to install EPEL is:
+ rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm
yum install epel-release
## Moonshot Packages
@@ -81,7 +49,6 @@ To install the diagnostic tools (only needed for testing) and the RADIUSd:
yum install freeradius krb5-moonshot-devel moonshot-gss-eap
-
Once FreeRADIUS is installed, a source of identity needs to be enabled - either the roaming network in the case of an ORPS, or AD/LDAP/etc for an IdP. For now, we'll just use a flat file. Open _/etc/raddb/users_ and locate the following fragment:
@@ -119,12 +86,17 @@ A legacy attribute required for SSH at this time is the user name returned by th
Finally, set the EAP type in use by moonshot (EAP-TTLS) by editing _/etc/raddb/eap.conf_
default_eap_type = md5
+
+becomes:
+
+ default_eap_type = ttls
+
+Other EAP types should be supported (PEAP and MD5 tested).
FreeRADIUS now has a very minimal IdP/ORPS configuration, and can be started with:
service radiusd restart
-
If you encounter any issues, you can run radius in debug mode to see what is going on internally.
service radiusd stop
@@ -154,8 +126,9 @@ Ultimately, the final values depend on the deployment â probably the address,
###gss_eap_id
-Next, a file is created in the home directory at _~/.gss_eap_id_ â this is the file that moonshot looks in for credentials.
-The format is very simple â username followed by a password. For now, set it to:
+Next, a file is created in the home directory at _~/.gss\_eap\_id_ â this is the file that moonshot looks in for credentials.
+The format is very simple â username followed by a password on separate lines. For now, set it to:
+
steve
testing
@@ -168,23 +141,24 @@ In the demo we just use a very simple example â mapping the _Chargeable-User-I
Delete _/etc/shibboleth/attribute-map.xml_ and replace it with:
-
In this case, 89 corresponds to _Chargeable-User-Identity_, which is mapped to _local-login-user_, which sets the local account that the user will be given access to.
-To load the moonshot extensions, under the root node in /etc/shibboleth/shibboleth2.xml, add:
+To load the moonshot extensions, under the root node in _/etc/shibboleth/shibboleth2.xml_, add:
+
-
Further down the same file, find this line:
+
Directly underneath it, add:
+
Note that this file is sensitive to the order of statements.
@@ -204,16 +178,18 @@ This file tells moonshot what encryption options are valid for use with GSS.
##Testing Functionality
-As mentioned earlier, we will be using the Kerberos test tools to make sure that things are working.
-To start the gss-server, run:
+As mentioned earlier, we will be using the Kerberos test tools to make sure that things are working.
+To start the _gss-server_, run:
+
/opt/moonshot/sbin/gss-server host@localhost &
-There are two ways to start gss-client â the first specifies an encryption method to use by its OID 1.3.6.1.4.1.5322.22.1.18 (as seen in /etc/gss/mech):
+There are two ways to start _gss-client_ â the first specifies an encryption method to use by its OID 1.3.6.1.4.1.5322.22.1.18 (as seen in /etc/gss/mech):
+
/opt/moonshot/bin/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" 127.0.0.1 host@localhost bar
+The second uses __Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)__
+This chooses the "best" mutually-agreeable encryption method for between client and server. To invoke the client using __SPNEGO__, use:
-The second uses Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)
-This chooses the "best" mutually-agreeable encryption method for between client and server. To invoke the client using SPNEGO, use:
/opt/moonshot/bin/gss-client -spnego 127.0.0.1 host@localhost bar
##Sample Output
@@ -244,10 +220,12 @@ This chooses the "best" mutually-agreeable encryption method for between client
Signature verified.
NOOP token
-Running gss- client produces a massive amount of output.
-The important part is at the end â you should see output similar to what is on the previous slide.
+Running _gss-client_ produces a massive amount of output.
+The important part is at the end â you should see output similar to what is on the previous slide.
If you do not see the line:
+
Attribute local-login-user Authenticated Complete
+
Then attribute mapping is not functioning properly, and you need to check your shibboleth configuration.
##SSH
@@ -255,43 +233,98 @@ To install moonshot-enabled SSH:
yum install openssh-moonshot-clients openssh-moonshot-server
-
-Inside /etc/ssh/sshd_config, and if these values are not set already:
-
-Uncomment UsePrivilegeSeparation and set it to ânoâ
+Inside _/etc/ssh/sshd\_config_, and if these values are not set already:
+Uncomment __UsePrivilegeSeparation__ and set it to __ânoâ__
UsePriviligeSeparation no
-Uncomment GSSAPIAuthentication and set it to âyesâ
+Uncomment __GSSAPIAuthentication__ and set it to __âyesâ__
GSSAPIAuthentication yes
-Uncomment GSSAPIKeyExchange and set it to âyesâ
+Uncomment __GSSAPIKeyExchange__ and set it to __âyesâ__
GSSAPIKeyExchange yes
-Inside /etc/ssh/ssh_config and if these values are not set already:
-
-Uncomment GSSAPIAuthentication and set it to âyesâ
+Inside _/etc/ssh/ssh\_config_ and if these values are not set already:
+Uncomment __GSSAPIAuthentication__ and set it to __âyesâ__
GSSAPIAuthentication yes
-Uncomment GSSAPIKeyExchange and set it to âyesâ
+Uncomment __GSSAPIKeyExchange__ and set it to __âyesâ__
GSSAPIKeyExchange yes
###Running SSH
Finally, we need to start sshd on a seperate port:
- /opt/moonshot/sbin/sshd âp 2222
-At this time we do not recommend running openssh-moonshot as the systemwide SSH client or server â it should be installed alongside the the standard SSH client and server.
-Also note, that sshd must be invoked with its full path, i.e. /opt/moonshot/sbin/sshd.
+ /opt/moonshot/sbin/sshd âp 2222
+At this time we do not recommend running __openssh-moonshot__ as the systemwide SSH client or server â it should be installed alongside the the standard SSH client and server.
+Also note, that sshd must be invoked with its full path, i.e. _/opt/moonshot/sbin/sshd._
Finally, try connecting with the following:
+
/opt/moonshot/bin/ssh âp 2222 âl "" 127.0.0.1
-With any luck, magic happens and you are logged in as the user specified in your Chargeable-User-Identity!
-After successfully logging in, donât forget to type "exit" to end the SSH session and return to the root shell.
-Note in the SSH client command, the option -l "" â this signifies that no username is to be sent to the SSH server.
+With any luck, magic happens and you are logged in as the user specified in your _Chargeable-User-Identity_!
+After successfully logging in, donât forget to type __exit__ to end the SSH session and return to the root shell.
+Note in the SSH client command, the option __-l ""__ â this signifies that no username is to be sent to the SSH server.
+
+##Common Issues:
+
+###If you see:
+
+ connecting to server: Connection refused
+
+_gss-server_ is not running â start it again, and check its output for any reasons why it doesn't stay running
+
+###If you see:
+
+ GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
+ GSS-API error initializing context: SPNEGO cannot find mechanisms to negotiate
+ reading token flags: 0 bytes read
+
+Then _/etc/gss/mech_ is invalid or missing
+
+###If you see:
+
+ Sending init_sec_context token (size=101)...continue needed...
+ CTRL-EVENT-EAP-STARTED EAP authentication started
+ GSS-API error accepting context: Unspecified GSS failure. Minor code may provide more information
+ GSS-API error accepting context:
+ Sending init_sec_context token (size=43)...continue needed...
+ GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information
+ GSS-API error initializing context: SPNEGO failed to negotiate a mechanism
+
+Your RADIUS server may not be running, or malfunctioning, run it in debug mode (as mentioned earlier) to find out why.
+
+###If you see:
+
+ Segmentation fault
+
+Then _~/.gss\_eap\_id_ is invalid or missing
+
+###If you see:
+
+ CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected
+
+Then you have not correctly set the _default\_eap\_type_ on the RADIUS server.
+
+###If you see:
+
+ GSS-API error gss_pname_to_uid: Unspecified GSS failure. Minor code may provide more information
+ GSS-API error gss_pname_to_uid: Unknown error
+
+Then there is not a local user that matches your Chargeable-User-Identity
+
+###If you seeâ¦
+
+ /opt/moonshot/bin/gss-client: relocation error: /opt/moonshot/bin/gss-client: symbol gss_acquire_cred_with_password, version gssapi_krb5_2_MIT not defined in file libgssapi_krb5.so.2 with link time reference
+
+Then LD_LIBRARY_PATH is not properly set
+
+
+##Remote IdP
+This is left for an exercise for the user - at this stage it should just be a case of changing _/etc/radsec.conf_ to point at the right RADIUSd