No current version of OpenSSH currently natively supports Moonshot, but patches are available for versions 5.3p1, 5.9p1 and 6.6p1 of OpenSSH to fix the issues that stop it from working. Ultimately we hope that these patches will become a standard part of OpenSSH, so that OpenSSH will work without any extra work being necessary.
In the tables below, the following icons have the following meanings:
- - This version of the software has been tested and verified as supporting Moonshot.
- - This version of the software has been tested and verified as not supporting Moonshot.
- - This version of the software has not yet been tested thoroughly and its status is not known. Let us know if you have tried it and whether it worked or not!
2.2. Compatibility List
Note that accessing supported versions of this software requires a Moonshot compatible client - see the next section for details on which clients are supported.
Any versions not listed below list have not yet been tested. If you do so, please let us know!
|OS version||Compatible?||Packages Available?||Notes|
|CentOS 6||Using our pre-compiled package. Building instructions available.|
|CentOS 7||Using our pre-compiled package. Building instructions available.|
|Debian 8||Using our pre-compiled package. Building instructions available.|
|RHEL 6||Using our pre-compiled package. Building instructions available.|
|RHEL 7||Using our pre-compiled package. Building instructions available.|
|Scientific Linux 6||Using our pre-compiled package. Building instructions available.|
|Scientific Linux 7||Using our pre-compiled package. Building instructions available.|
|Ubuntu 12.04 LTS||Using our pre-compiled package for Debian 7.|
|Ubuntu 14.04 LTS||Building instructions available.|
3. Installation Instructions
How you set up a Moonshot-enabled version of the OpenSSH server will differ depending on your OS. See the relevant pages for your particular distribution:
4. Building Instructions
Although we endeavour to supply packages in our own repositories, we also provide build instructions for popular distributions.
5. Client Compatibility
The following clients are known to work with this server software using Moonshot authentication (click on the link to see further information about enabling Moonshot in that client):
6. Next Steps
Once you have installed the software, what happens next?
6.1. Configuration Instructions
Once installed, the Moonshot-enabled OpenSSH server will still need a few quick tweaks in order to turn on the Moonshot support.
Ensure that the certificates referenced in
/etc/radsec.confcan be read by the SSH user:
If they cannot be read by the SSH user, add the SSH user to the group that can read the certificates.
Configure the OpenSSH server to use GSSAPI by editing
/etc/ssh/sshd_config. Check the following lines are present and uncommented:
If your SSH server has a different hostname to the one given publicly (for example, you have CNAME entries you give to your users instead of the internal name), you must switch the
no. Disabling (commenting out) the check configuration defaults it to
OpenSSH server versions before 6.6p1 cannot use Moonshot authentication when
UsePrivilegeSeparationis switched to
sandbox. You must switch
noon those versions.
- Restart the OpenSSH server.
- Configure the OpenSSH Client.
6.2. Account Mapping
Moonshot by default uses Shibboleth libraries to parse RADIUS and SAML attributes.
SAML assertions can be embedded inside RADIUS responses by the IdP, allowing an IdP to exercise a very fine-grained authorisation policy. One potential use of this is to allow the Moonshot IdP to specify which account the user should log in to your SSH server as. RADIUS attributes, such as the
User-Name attribute, are simply mapped with a special type of Shibboleth attribute. To do this, enable the functionality in Shibboleth as follows.
/etc/shibboleth/shibboleth2.xml and modify the lines after the opening
<SPConfig ... clockSkew="180"> stanza:
Shibboleth 2.x only
Insert these lines immediately after the opening stanza:
Shibboleth 3.x only
OutOfProcess stanza as follows:
6.2.1. Mapping to an account specified in a SAML attribute
To map an attribute in a SAML assertion embedded in a RADIUS response, your OpenSSH server maps that to a local user account (via
local-login-user) as follows:
/etc/shibboleth/attribute-map.xmland find the SAML attribute that the Moonshot IdP will be sending you that contains the username.
We want to map from the incoming SAML2 representation of "eduPersonEntitlement"
Change the id of the attribute from "
entitlement" to "
We change the attribute defining the SAML2 representation of "eduPersonEntitlement" such that its ID becomes "local-login-user"In the standard Moonshot distribution, SSH will look for
local-login-userto determine who to authenticate the user as. This attribute mapping will be managed by the XML assertion in the FreeRADIUS reply for a successful authentication.
6.2.2. Mapping to an account specified in a RADIUS attribute
To parse a RADIUS attribute (such as the
User-Name attribute), your OpenSSH server maps that to a local user account (via
local-login-user) as follows:
/etc/shibboleth/shibboleth2.xmland find the line
<AttributeExtractor type="XML" ...>further down in the file, duplicate it and modify the duplicate as follows:
You may want to store your GSSAPI attributes in a separate file. In this case, amend the path above to the new file.
/etc/shibboleth/attribute-map.xmland find the first attribute line that does not use an AttributeDecoder. If you store your GSSAPI attributes in a separate file, modify that file instead.
We will duplicate the incoming SAML2 representation of "eduPersonEntitlement"
Duplicate the line. The name format for GSSAPI attributes is somewhat different. It does not use the OID namespace; instead it uses the IETF namespace. The attribute name is also different.
We change the attribute defining the SAML2 representation of "eduPersonEntitlement" such that its ID becomes "local-login-user" and it uses a different namespace
The numeral 1 in the name of the attribute refers to RADIUS attribute 1, which is the User-Name. A more extensive compendium of attribute numbers is available at IANA's number registry.In the standard Moonshot distribution, SSH will look for
local-login-userto determine who to authenticate the user as.
6.2.3. Further mapping options