Moonshot-enabling the Linux Console requires the use of pam_gss, a PAM module that brings Moonshot compatibility to PAM. Unfortunately, pam_gss necessarily has to work in a way that is not generally recommended with Moonshot - the client device is not under the direct control of the user, and with pam_gss the device is both the client and the server. The consequence of this is that the user's credentials (NAI and password) are exposed directly to a device which is not the user's. Thus, this should only be deployed where the implications and the risk are fully understood:
- Deployers should understand that the credentials of users using the device could be exposed on that device.
- Users should understand that their credential could be exposed and should thus do it only on devices managed by organisations they trust.
Due to the severity of this problem, the Moonshot project does not officially distribute pam_gss packages. Members of the community have made them available, however. The instructions on this page walk you through configuring GNOME using this community-provided code, but again - only do so if you understand the consequences.
Moonshot-enabling the Linux console is achieved through the use of a PAM module.
In the tables below, the following icons have the following meanings:
- - This version of the software has been tested and verified as supporting Moonshot.
- - This version of the software has been tested and verified as not supporting Moonshot.
- - This version of the software has not yet been tested thoroughly and its status is not known. Let us know if you have tried it and whether it worked or not!
2.2. Compatibility List
Any versions not listed below have not yet been tested. If you do so, please let us know!
|Scientific Linux 6|
3. Installation & Configuration
How you set up a Moonshot-enabled version of the Linux Console will differ depending on your OS. See the relevant pages for your particular distribution:
4. Next Steps
4.1. Account Mapping
4.1.1. Mapping to an account specified in a SAML attribute
Moonshot uses Shibboleth libraries to parse RADIUS and SAML attributes - SAML assertions can be embedded inside RADIUS responses by the IdP, allowing an IdP to exercise a very fine-grained authorisation policy. One potential use of this is to allow the Moonshot IdP to specify which account the user should log in to your SSH server as. To do this, it passes across a username in a SAML attribute and your server maps that to a local user account (via local-login-user).
/etc/shibboleth/shibboleth2.xmland insert the following lines if they don't exist (note that this should go directly after the opening
<SPConfig ... clockSkew="180">stanza:
Edit /etc/shibboleth/attribute-map.xml and find the SAML attribute that the Moonshot IdP will be sending you that contains the username.
We want to map from the incoming SAML2 representation of "eduPersonEntitlement"
Change the id of the attribute to "local-login-user".
We change the attribute defining the SAML2 representation of "eduPersonEntitlement" such that its id becomes "local-login-user"In the standard Moonshot distribution, SSH will look for local-login-user to determine who to authenticate the user as. This attribute mapping will be managed by the XML assertion in the FreeRADIUS reply for a successful authentication.
4.1.2. Further mapping options
4.2. Logging into the Linux Console using Moonshot
The user experience of logging into the Linux Console is different to the usual experience when using moonshot (see the warning at the start of this page).
To do so, do the following:
- At the Linux console login prompt, enter the full NAI of your username (e.g. firstname.lastname@example.org). Hit return.
- A Password: prompt will show. Enter the password associated with the account. Hit return.
- If successful, you should be logged into the Linux Console as the local user that your account is mapped to (see next section).
Ensure that the account that the user is being mapped to (via whatever method) actually exists beforehand!