========
This is an implementation of the GSS EAP mechanism, as described in
-draft-ietf-abfab-gss-eap-00.txt.
+draft-ietf-abfab-gss-eap-01.txt.
Building
========
Installing
==========
+GSS mechglue
+------------
+
When installing, be sure to edit $prefix/etc/gss/mech to register
the EAP mechanisms. A sample configuration file is in this directory.
+You may need to specify an absolute path.
+
+RADIUS client library
+---------------------
Make sure your RADIUS library is configured to talk to the server of
-your choice: see the example radsec.conf in this directory.
+your choice: see the example radsec.conf in this directory. If you
+want to use TCP or TLS, you'll need to run radsecproxy in front of
+your RADIUS server.
+
+RADIUS server
+-------------
+
+These instructions apply to FreeRADIUS only, which is downloadable
+from http://freeradius.org/. After configure, make, install, do the
+following:
+
+On the RADIUS server side, you need to install dictionary.ukerna to
+$prefix/etc/raddb and include it from the main dictionary file, by
+adding:
+
+ $INCLUDE dictionary.ukerna
-On the RADIUS server side, you need to install dictionary.ukerna and
-include it from the main dictionary file.
+to $prefix/etc/raddb/dictionary. Make sure these files are world-
+readable; they weren't in my installation.
+
+Edit $prefix/etc/raddb/users to add your test user and password:
+
+ bob@PROJECT-MOONSHOT.ORG Cleartext-Password := secret
+
+Add an entry for your acceptor to $prefix/etc/raddb/clients.conf:
+
+ client somehost {
+ ipaddr = 127.0.0.1
+ secret = testing123
+ require_message_authenticator = yes
+ }
+
+Edit $prefix/etc/raddb/eap.conf and set:
+
+ eap {
+...
+ default_eap_type = ttls
+...
+ tls {
+ certdir = ...
+ cadir = ...
+ private_key_file = ...
+ certificate_file = ...
+ }
+ ttls {
+ default_eap_type = mschapv2
+ copy_request_to_tunnel = no
+ use_tunneled_reply = no
+ virtual_server = "inner-tunnel"
+ }
+...
+ }
+
+to enable EAP-TTLS.
If you want the acceptor be able to identify the user, the RADIUS
server needs to echo back the EAP username from the inner tunnel;
for privacy, mech_eap only sends the realm in the EAP Identity
response. To configure this with FreeRADIUS, add:
- update outer.reply {
- User-Name = "%{request:User-Name}"
- }
-
-to /etc/raddb/sites-enabled/inner-tunnel, and make sure that
+ update outer.reply {
+ User-Name = "%{request:User-Name}"
+ }
- virtual_server = "inner-tunnel"
+If you want to add a SAML assertion, do this with "update reply"
+in $prefix/etc/raddb/sites-available/default:
-is set in eap.conf for the EAP types being used.
+ update reply {
+ SAML-AAA-Assertion = '<saml:Assertion ...'
+ SAML-AAA-Assertion += '...'
+ }
-To test the SAML assertion code path, you can place a fixed SAML
-assertion in the update reply block of the default configuration.
-
- update reply {
- SAML-AAA-Assertion = '<saml:Assertion ...'
- SAML-AAA-Assertion += '...'
- }
+You'll need to split it into multiple lines because of the RADIUS
+attribute size limit.
Testing
=======
not the RADIUS server).
% gss-client -port 5555 -spnego -mech "{1 3 6 1 4 1 5322 22 1 18}" \
- -user <user> -pass <pass> <host> host@<host> "Testing GSS EAP"
+ -user <user>@<realm> -pass <pass> <host> host@<host> \
+ "Testing GSS EAP"
% gss-server -port 5555 -export host@<host>
Note: for SASL you will be prompted for a username and password.
% client -C -p 5556 -s host -m EAP-AES128 <host>
% server -c -p 5556 -s host -h <host>
+To test fast reauthentication support, add the following to
+/etc/krb5.conf:
+
+[appdefaults]
+ eap_gss = {
+ reauth_use_ccache = TRUE
+ }
+
+This will store a Kerberos ticket for a GSS-EAP authenticated user
+in a credentials cache, which can then be used for re-authentication
+to the same acceptor. You must have a valid keytab configured.
+
+In this testing phase of Moonshot, it's also possible to store a
+default identity and credential in a file. The format consists of
+the string representation of the initiator identity and the password,
+separated by newlines. The default location of this file is
+.gss_eap_id in the user's home directory, however the GSSEAP_IDENTITY
+environment variable can be used to set an alternate location.
+
+You can also set a default realm in [appdefaults]; the Kerberos
+default realm is never used by mech_eap (or at least, that is the
+intention), so if unspecified you must always qualify names. It should
+generally not be necessary to specify this.
+
projects / mech_eap.orig / blobdiff