First we need to install and configure moonshot, its dependencies, and a local RADIUS server for testing
In a real deployment, a local RADIUS server is not needed, however it simplifies testing if one is available
__gss-server__ and __gss-client__ are standard Kerberos diagnostic tools, which give us a lot of information that is helpful for debugging
Again, in a real deployment these are not required, but help with testing
This guide walks through deploying the client, IdP and SP portions of moonshot - depending on your target, some steps may be inappropriate.
## Environment
### LD_LIBRARY_PATH
__LD_LIBRARY_PATH__ has to have _/opt/moonshot/lib64/_ and _/usr/lib64/freeradius_ added to it.
The best way to do this is create a file at _/etc/profile.d/moonshot.sh_, with the following:
if [ [ $LD_LIBRARY_PATH != */opt/moonshot/lib64/:/usr/lib64/freeradius/* ] ]
then
export LD_LIBRARY_PATH=/opt/moonshot/lib64/:/usr/lib64/freeradius/:$LD_LIBRARY_PATH
fi
This is required as moonshot currently stores its modified libraries separately to the main system ones to avoid conflicts. This should not be necessary in the future.
### SELinux set to permissive
Moonshot has a couple of outstanding issues regarding proper labeling of _SELinux_ contexts, causing it to fail when _SELinux_ is enforcing. This should be resolved soon - change the setting in _/etc/sysconfig/selinux_, or in _/etc/rc.local_:
echo 0 > /selinux/enforce
### EPEL
Moonshot needs __EPEL__ for a few extra libraries (as pulling them from a semi-supported repository is preferable to repackaging).
The simplest way to install EPEL is:
yum install epel-release
## Moonshot Packages
The RPM's and SRPM's for moonshot are currently hosted at [http://yum.dev.ja.net] - this may change (and in fact, is quite likely to change) in the future. The packages are currently unsigned.
First we need to install and configure moonshot, its dependencies, and a local RADIUS server for testing
In a real deployment, a local RADIUS server is not needed, however it simplifies testing if one is available
__gss-server__ and __gss-client__ are standard Kerberos diagnostic tools, which give us a lot of information that is helpful for debugging
Again, in a real deployment these are not required, but help with testing
This guide walks through deploying the client, IdP and SP portions of moonshot - depending on your target, some steps may be inappropriate.
## Environment
### LD_LIBRARY_PATH
__LD_LIBRARY_PATH__ has to have _/opt/moonshot/lib64/_ and _/usr/lib64/freeradius_ added to it.
The best way to do this is create a file at _/etc/profile.d/moonshot.sh_, with the following:
if [ [ $LD_LIBRARY_PATH != */opt/moonshot/lib64/:/usr/lib64/freeradius/* ] ]
then
export LD_LIBRARY_PATH=/opt/moonshot/lib64/:/usr/lib64/freeradius/:$LD_LIBRARY_PATH
fi
This is required as moonshot currently stores its modified libraries separately to the main system ones to avoid conflicts. This should not be necessary in the future.
### SELinux set to permissive
Moonshot has a couple of outstanding issues regarding proper labeling of _SELinux_ contexts, causing it to fail when _SELinux_ is enforcing. This should be resolved soon - change the setting in _/etc/sysconfig/selinux_, or in _/etc/rc.local_:
echo 0 > /selinux/enforce
### EPEL
Moonshot needs __EPEL__ for a few extra libraries (as pulling them from a semi-supported repository is preferable to repackaging).
The simplest way to install EPEL is:
yum install epel-release
## Moonshot Packages
The RPM's and SRPM's for moonshot are currently hosted at [[http://yum.dev.ja.net]] - this may change (and in fact, is quite likely to change) in the future. The packages are currently unsigned.
Example _/etc/yum.repos.d/moonshot.repo_
[Moonshot]
name=Moonshot
baseurl=http://yum.dev.ja.net/RPMS/x86_64/
gpgcheck=0
After setting up the repository definition, we'll set up a composite ORPS/IdP.
##Moonshot IdP
To install the diagnostic tools (only needed for testing) and the RADIUSd:
yum install freeradius krb5-moonshot-devel
Once FreeRADIUS is installed, a source of identity needs to be enabled - either the roaming network in the case of an ORPS, or AD/LDAP/etc for an IdP. For now, we'll just use a flat file. Open _/etc/raddb/users_ and locate the following fragment:
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
# steve Cleartext-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
Uncomment the line beginning __steve__.
__Chargeable-User-Identity__ is the value used to decide what user account to log in the user as on the SSH server.
This value would normally be set by your local RADIUS proxy (ORPS) – so in a real deployment, rather than statically logging the user in as __moonshot__ you may decide to use something like __steve-camford.ac.uk__.
If anonymity is required, you could use a Perl or Python script to generate something like __user-789-camford.ac.uk__.
The exact value does not matter – only that the mappings are consistent, so that the user gets access to the same local account each time.
To allow creation of accounts on demand you could use __LDAP__ – when the ORPS sees a successful authentication, it could trigger a script that creates the desired account in an __LDAP__ domain.
It is not guaranteed that __Chargeable-User-Identity__ will be used permanently – in the future a specific RADIUS attribute may be created instead.
To activate CUI insertion, Edit _/etc/raddb/sites-enabled/default_, and find the post-auth section, and add the following:
update reply {
Chargeable-User-Identity = "moonshot"
}
Note in the case of an ORPS you need to unfilter this attribute in _/etc/raddb/attrs_ to prevent this attribute from being stripped on roaming requests.
A legacy attribute required for SSH at this time is the user name returned by the IdP. To make this happen, Edit _/etc/raddb/sites-enabled/inner-tunnel_, find the following and uncomment it:
#update outer.reply {
# User-Name = "%{request:User-Name}"
#}