__LD_LIBRARY_PATH__ has to have _/opt/moonshot/lib64/_ and _/usr/lib64/freeradius_ added to it.<br />
The best way to do this is create a file at _/etc/profile.d/moonshot.sh_, with the following:
- if [ [ $LD_LIBRARY_PATH != */opt/moonshot/lib64/:/usr/lib64/freeradius/* ] ]
+ if \[[ $LD_LIBRARY_PATH != */opt/moonshot/lib64/:/usr/lib64/freeradius/* ]]
then
export LD_LIBRARY_PATH=/opt/moonshot/lib64/:/usr/lib64/freeradius/:$LD_LIBRARY_PATH
fi
-This is required as moonshot currently stores its modified libraries separately to the main system ones to avoid conflicts. This should not be necessary in the future.
-
-
-### SELinux set to permissive
-Moonshot has a couple of outstanding issues regarding proper labeling of _SELinux_ contexts, causing it to fail when _SELinux_ is enforcing. This should be resolved soon - change the setting in _/etc/sysconfig/selinux_, or in _/etc/rc.local_:
-
- echo 0 > /selinux/enforce
-
-### EPEL
-Moonshot needs __EPEL__ for a few extra libraries (as pulling them from a semi-supported repository is preferable to repackaging).<br />
-The simplest way to install EPEL is:
-
- yum install epel-release
-
-## Moonshot Packages
-The RPM's and SRPM's for moonshot are currently hosted at [http://yum.dev.ja.net] - this may change (and in fact, is quite likely to change) in the future. The packages are currently unsigned.
+After, either restart your shell session, or:
-
-
-First we need to install and configure moonshot, its dependencies, and a local RADIUS server for testing
-In a real deployment, a local RADIUS server is not needed, however it simplifies testing if one is available
-__gss-server__ and __gss-client__ are standard Kerberos diagnostic tools, which give us a lot of information that is helpful for debugging
-Again, in a real deployment these are not required, but help with testing
-
-This guide walks through deploying the client, IdP and SP portions of moonshot - depending on your target, some steps may be inappropriate.
-
-## Environment
-### LD_LIBRARY_PATH
-__LD_LIBRARY_PATH__ has to have _/opt/moonshot/lib64/_ and _/usr/lib64/freeradius_ added to it.<br />
-The best way to do this is create a file at _/etc/profile.d/moonshot.sh_, with the following:
-
- if [ [ $LD_LIBRARY_PATH != */opt/moonshot/lib64/:/usr/lib64/freeradius/* ] ]
- then
- export LD_LIBRARY_PATH=/opt/moonshot/lib64/:/usr/lib64/freeradius/:$LD_LIBRARY_PATH
- fi
+ source /etc/profile.d/moonshot.sh
This is required as moonshot currently stores its modified libraries separately to the main system ones to avoid conflicts. This should not be necessary in the future.
-
### SELinux set to permissive
Moonshot has a couple of outstanding issues regarding proper labeling of _SELinux_ contexts, causing it to fail when _SELinux_ is enforcing. This should be resolved soon - change the setting in _/etc/sysconfig/selinux_, or in _/etc/rc.local_:
Moonshot needs __EPEL__ for a few extra libraries (as pulling them from a semi-supported repository is preferable to repackaging).<br />
The simplest way to install EPEL is:
+ rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-5.noarch.rpm
yum install epel-release
## Moonshot Packages
yum install freeradius krb5-moonshot-devel moonshot-gss-eap
-
Once FreeRADIUS is installed, a source of identity needs to be enabled - either the roaming network in the case of an ORPS, or AD/LDAP/etc for an IdP. For now, we'll just use a flat file. Open _/etc/raddb/users_ and locate the following fragment:
Finally, set the EAP type in use by moonshot (EAP-TTLS) by editing _/etc/raddb/eap.conf_
default_eap_type = md5
+
+becomes:
+
+ default_eap_type = ttls
+
+Other EAP types should be supported (PEAP and MD5 tested).
FreeRADIUS now has a very minimal IdP/ORPS configuration, and can be started with:
service radiusd restart
-
If you encounter any issues, you can run radius in debug mode to see what is going on internally.
service radiusd stop
###gss_eap_id
-Next, a file is created in the home directory at _~/.gss_eap_id_ – this is the file that moonshot looks in for credentials.
-The format is very simple – username followed by a password. For now, set it to:
+Next, a file is created in the home directory at _~/.gss\_eap\_id_ – this is the file that moonshot looks in for credentials.
+The format is very simple – username followed by a password on separate lines. For now, set it to:
+
steve
testing
/opt/moonshot/sbin/gss-server host@localhost &
There are two ways to start _gss-client_ – the first specifies an encryption method to use by its OID 1.3.6.1.4.1.5322.22.1.18 (as seen in /etc/gss/mech):
- /opt/moonshot/bin/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" 127.0.0.1 host@localhost bar
+ /opt/moonshot/bin/gss-client -mech "{1 3 6 1 4 1 5322 22 1 18}" 127.0.0.1 host@localhost bar
The second uses __Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)__<br />
This chooses the "best" mutually-agreeable encryption method for between client and server. To invoke the client using __SPNEGO__, use:
+
/opt/moonshot/bin/gss-client -spnego 127.0.0.1 host@localhost bar
##Sample Output
projects / devwiki.git / blobdiff