## Moonshot Packages
The RPM's and SRPM's for moonshot are currently hosted at [http://yum.dev.ja.net] - this may change (and in fact, is quite likely to change) in the future. The packages are currently unsigned.
+
+
+
+First we need to install and configure moonshot, its dependencies, and a local RADIUS server for testing
+In a real deployment, a local RADIUS server is not needed, however it simplifies testing if one is available
+__gss-server__ and __gss-client__ are standard Kerberos diagnostic tools, which give us a lot of information that is helpful for debugging
+Again, in a real deployment these are not required, but help with testing
+
+This guide walks through deploying the client, IdP and SP portions of moonshot - depending on your target, some steps may be inappropriate.
+
+## Environment
+### LD_LIBRARY_PATH
+__LD_LIBRARY_PATH__ has to have _/opt/moonshot/lib64/_ and _/usr/lib64/freeradius_ added to it.<br />
+The best way to do this is create a file at _/etc/profile.d/moonshot.sh_, with the following:
+
+ if [ [ $LD_LIBRARY_PATH != */opt/moonshot/lib64/:/usr/lib64/freeradius/* ] ]
+ then
+ export LD_LIBRARY_PATH=/opt/moonshot/lib64/:/usr/lib64/freeradius/:$LD_LIBRARY_PATH
+ fi
+
+This is required as moonshot currently stores its modified libraries separately to the main system ones to avoid conflicts. This should not be necessary in the future.
+
+
+### SELinux set to permissive
+Moonshot has a couple of outstanding issues regarding proper labeling of _SELinux_ contexts, causing it to fail when _SELinux_ is enforcing. This should be resolved soon - change the setting in _/etc/sysconfig/selinux_, or in _/etc/rc.local_:
+
+ echo 0 > /selinux/enforce
+
+### EPEL
+Moonshot needs __EPEL__ for a few extra libraries (as pulling them from a semi-supported repository is preferable to repackaging).<br />
+The simplest way to install EPEL is:
+
+ yum install epel-release
+
+## Moonshot Packages
+The RPM's and SRPM's for moonshot are currently hosted at [[http://yum.dev.ja.net]] - this may change (and in fact, is quite likely to change) in the future. The packages are currently unsigned.<br />
+Example _/etc/yum.repos.d/moonshot.repo_
+
+ [Moonshot]
+ name=Moonshot
+ baseurl=http://yum.dev.ja.net/RPMS/x86_64/
+ gpgcheck=0
+
+After setting up the repository definition, we'll set up a composite ORPS/IdP.
+
+##Moonshot IdP
+To install the diagnostic tools (only needed for testing) and the RADIUSd:
+
+ yum install freeradius krb5-moonshot-devel
+
+Once FreeRADIUS is installed, a source of identity needs to be enabled - either the roaming network in the case of an ORPS, or AD/LDAP/etc for an IdP. For now, we'll just use a flat file. Open _/etc/raddb/users_ and locate the following fragment:
+
+
+ # This is a complete entry for "steve". Note that there is no Fall-Through
+ # entry so that no DEFAULT entry will be used, and the user will NOT
+ # get any attributes in addition to the ones listed here.
+ #
+ # steve Cleartext-Password := "testing"
+ # Service-Type = Framed-User,
+ # Framed-Protocol = PPP,
+
+Uncomment the line beginning __steve__.
+
+__Chargeable-User-Identity__ is the value used to decide what user account to log in the user as on the SSH server.<br />
+This value would normally be set by your local RADIUS proxy (ORPS) – so in a real deployment, rather than statically logging the user in as __moonshot__ you may decide to use something like __steve-camford.ac.uk__.<br />
+If anonymity is required, you could use a Perl or Python script to generate something like __user-789-camford.ac.uk__.<br />
+The exact value does not matter – only that the mappings are consistent, so that the user gets access to the same local account each time.
+To allow creation of accounts on demand you could use __LDAP__ – when the ORPS sees a successful authentication, it could trigger a script that creates the desired account in an __LDAP__ domain.
+It is not guaranteed that __Chargeable-User-Identity__ will be used permanently – in the future a specific RADIUS attribute may be created instead.
+
+To activate CUI insertion, Edit _/etc/raddb/sites-enabled/default_, and find the post-auth section, and add the following:
+
+ update reply {
+ Chargeable-User-Identity = "moonshot"
+ }
+
+Note in the case of an ORPS you need to unfilter this attribute in _/etc/raddb/attrs_ to prevent this attribute from being stripped on roaming requests.
+
+A legacy attribute required for SSH at this time is the user name returned by the IdP. To make this happen, Edit _/etc/raddb/sites-enabled/inner-tunnel_, find the following and uncomment it:
+
+ #update outer.reply {
+ # User-Name = "%{request:User-Name}"
+ #}
+
+
projects / devwiki.git / blobdiff