(no commit message)

diff --git a/ConfiguringRHEL.mdwn b/ConfiguringRHEL.mdwn
index 59a4524..5dc1b9a 100644 (file)
--- a/ConfiguringRHEL.mdwn
+++ b/ConfiguringRHEL.mdwn
@@ -202,7 +202,7 @@ This file tells moonshot what encryption options are valid for use with GSS.
     eap-aes128         1.3.6.1.4.1.5322.22.1.17        mech_eap.so
     eap-aes256         1.3.6.1.4.1.5322.22.1.18        mech_eap.so
 
-#Testing Functionality
+##Testing Functionality
 
 As mentioned earlier, we will be using the Kerberos test tools to make sure that things are working.
 To start the gss-server, run:
@@ -216,7 +216,7 @@ The second uses Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)
 This chooses the "best" mutually-agreeable encryption method for between client and server.  To invoke the client using SPNEGO, use:
     /opt/moonshot/bin/gss-client -spnego 127.0.0.1 host@localhost bar
 
-#Sample Output
+##Sample Output
 
     Attribute local-login-user Authenticated Complete
     
@@ -243,3 +243,55 @@ This chooses the "best" mutually-agreeable encryption method for between client
     Received message: "testing"
     Signature verified.
     NOOP token
+
+Running gss- client produces a massive amount of output.
+The important part is at the end – you should see output similar to what is on the previous slide.
+If you do not see the line:
+    Attribute local-login-user Authenticated Complete
+Then attribute mapping is not functioning properly, and you need to check your shibboleth configuration.
+
+##SSH
+To install moonshot-enabled SSH:
+
+    yum install openssh-moonshot-clients openssh-moonshot-server
+
+
+Inside /etc/ssh/sshd_config, and if these values are not set already:
+
+Uncomment UsePrivilegeSeparation and set it to ‘no’
+
+       UsePriviligeSeparation no
+
+Uncomment GSSAPIAuthentication and set it to ‘yes’
+
+       GSSAPIAuthentication yes
+
+Uncomment GSSAPIKeyExchange and set it to ‘yes’
+
+       GSSAPIKeyExchange yes
+
+Inside /etc/ssh/ssh_config and if these values are not set already:
+
+Uncomment GSSAPIAuthentication and set it to ‘yes’
+
+       GSSAPIAuthentication yes
+
+Uncomment GSSAPIKeyExchange and set it to ‘yes’
+
+       GSSAPIKeyExchange yes
+
+###Running SSH
+
+Finally, we need to start sshd on a seperate port:
+    /opt/moonshot/sbin/sshd –p 2222
+
+At this time we do not recommend running openssh-moonshot as the systemwide SSH client or server – it should be installed alongside the the standard SSH client and server.
+Also note, that sshd must be invoked with its full path, i.e. /opt/moonshot/sbin/sshd.
+
+
+Finally, try connecting with the following:
+    /opt/moonshot/bin/ssh –p 2222 –l "" 127.0.0.1
+
+With any luck, magic happens and you are logged in as the user specified in your Chargeable-User-Identity!
+After successfully logging in, don’t forget to type "exit" to end the SSH session and return to the root shell.
+Note in the SSH client command, the option -l "" – this signifies that no username is to be sent to the SSH server.