No current version of OpenSSH currently natively supports Moonshot, but patches are available for versions 5.3p1, 5.9p1 and 6.6p1 of OpenSSH to fix the issues that stop it from working. Ultimately we hope that these patches will become a standard part of OpenSSH, so that OpenSSH will work without any extra work being necessary.
In the tables below, the following icons have the following meanings:
Note that accessing supported versions of this software requires a Moonshot compatible client - see the next section for details on which clients are supported.
|OS version||Compatible?||Packages Available?||Notes|
|CentOS 6||Using our pre-compiled package. Building instructions available.|
|CentOS 7||Using our pre-compiled package. Building instructions available.|
|Debian 8||Using our pre-compiled package. Building instructions available.|
|RHEL 6||Using our pre-compiled package. Building instructions available.|
|RHEL 7||Using our pre-compiled package. Building instructions available.|
|Scientific Linux 6||Using our pre-compiled package. Building instructions available.|
|Scientific Linux 7||Using our pre-compiled package. Building instructions available.|
|Ubuntu 12.04 LTS||Using our pre-compiled package for Debian 7.||Ubuntu 14.04 LTS||Building instructions available.|
Ensure that the certificates referenced in
/etc/radsec.confcan be read by the SSH user:
Code Block language bash
$ su - --shell=/bin/bash sshd $ cat path_to_ca.pem $ cat path_to_client.pem $ cat path_to_client.key
If they cannot be read by the SSH user, add the SSH user to the group that can read the certificates.
Configure the OpenSSH server to use GSSAPI by editing
/etc/ssh/sshd_config. Check the following lines are present and uncommented:
Code Block linenumbers true
GSSAPIAuthentication yes GSSAPIKeyExchange no GSSAPIStrictAcceptorCheck yes
Warning title GSSAPIStrictAcceptorCheck
If your SSH server has a different hostname to the one given publicly (for example, you have CNAME entries you give to your users instead of the internal name), you must switch the
no. Disabling (commenting out) the check configuration defaults it to
Warning title UsePrivilegeSeparation
OpenSSH server versions before 6.6p1 cannot use Moonshot authentication when
UsePrivilegeSeparationis switched to
sandbox. You must switch
noon those versions.
- Restart the OpenSSH server.
- Configure the OpenSSH Client.
|Read our General account mapping advice page before you go any further to get an overview of the general options available for mapping federation provided identities to local accounts.|
Moonshot functions by using SAML or RADIUS attributes to convey user information. You can use one or multiple attributes to check which account the user should log into your SSH Server as. We have made available two versions of the Moonshot mechanism, one by default uses Shibboleth libraries, while the other uses internal JSON attribute resolution.
To read more about this, visit Configure a Linux Server's Attribute Resolution, and use either mechanism to configure the attribute '
local-login-user' which the SSH server will use to establish the account to log in with.