From: https://www.google.com/accounts/o8/id?id=AItOawmF293QIINb35puIE44kcDsoUHIhUGyq84 Date: Tue, 1 Nov 2011 11:21:44 +0000 (-0400) Subject: (no commit message) X-Git-Url: http://www.project-moonshot.org/gitweb/?p=devwiki.git;a=commitdiff_plain;h=3dbbe8e15cdab8f5f311b19d60a659f89c391b68 --- diff --git a/ConfiguringRHEL.mdwn b/ConfiguringRHEL.mdwn index 59a4524..5dc1b9a 100644 --- a/ConfiguringRHEL.mdwn +++ b/ConfiguringRHEL.mdwn @@ -202,7 +202,7 @@ This file tells moonshot what encryption options are valid for use with GSS. eap-aes128 1.3.6.1.4.1.5322.22.1.17 mech_eap.so eap-aes256 1.3.6.1.4.1.5322.22.1.18 mech_eap.so -#Testing Functionality +##Testing Functionality As mentioned earlier, we will be using the Kerberos test tools to make sure that things are working. To start the gss-server, run: @@ -216,7 +216,7 @@ The second uses Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) This chooses the "best" mutually-agreeable encryption method for between client and server. To invoke the client using SPNEGO, use: /opt/moonshot/bin/gss-client -spnego 127.0.0.1 host@localhost bar -#Sample Output +##Sample Output Attribute local-login-user Authenticated Complete @@ -243,3 +243,55 @@ This chooses the "best" mutually-agreeable encryption method for between client Received message: "testing" Signature verified. NOOP token + +Running gss- client produces a massive amount of output. +The important part is at the end – you should see output similar to what is on the previous slide. +If you do not see the line: + Attribute local-login-user Authenticated Complete +Then attribute mapping is not functioning properly, and you need to check your shibboleth configuration. + +##SSH +To install moonshot-enabled SSH: + + yum install openssh-moonshot-clients openssh-moonshot-server + + +Inside /etc/ssh/sshd_config, and if these values are not set already: + +Uncomment UsePrivilegeSeparation and set it to ‘no’ + + UsePriviligeSeparation no + +Uncomment GSSAPIAuthentication and set it to ‘yes’ + + GSSAPIAuthentication yes + +Uncomment GSSAPIKeyExchange and set it to ‘yes’ + + GSSAPIKeyExchange yes + +Inside /etc/ssh/ssh_config and if these values are not set already: + +Uncomment GSSAPIAuthentication and set it to ‘yes’ + + GSSAPIAuthentication yes + +Uncomment GSSAPIKeyExchange and set it to ‘yes’ + + GSSAPIKeyExchange yes + +###Running SSH + +Finally, we need to start sshd on a seperate port: + /opt/moonshot/sbin/sshd –p 2222 + +At this time we do not recommend running openssh-moonshot as the systemwide SSH client or server – it should be installed alongside the the standard SSH client and server. +Also note, that sshd must be invoked with its full path, i.e. /opt/moonshot/sbin/sshd. + + +Finally, try connecting with the following: + /opt/moonshot/bin/ssh –p 2222 –l "" 127.0.0.1 + +With any luck, magic happens and you are logged in as the user specified in your Chargeable-User-Identity! +After successfully logging in, don’t forget to type "exit" to end the SSH session and return to the root shell. +Note in the SSH client command, the option -l "" – this signifies that no username is to be sent to the SSH server.