Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Opennav
 


Panel

OpenSSH is a freely available version of the SSH connectivity tools, and is the standard version of SSH used by many linux Linux distributions. See http://www.openssh.org/ for more information.

Contents

Table of Contents

...

Numbered Headings

Overview

No current version of OpenSSH currently natively supports moonshotMoonshot, but patches are available for v5.3 and v5.9 versions 5.3p1, 5.9p1 and 6.6p1 of OpenSSH to fix the issues that stop it from working. Ultimately we hope that these patches will become a standard part of OpenSSH, so that OpenSSH will work without any extra work being necessary.

Compatibility

Key

In the tables below, the following icons have the following meanings:

  • (tick) - This version of the software has been tested and verified as supporting Moonshot.
  • (error) - This version of the software has been tested and verified as not supporting Moonshot.
  • (question) - This version of the software has not yet been tested thoroughly and its status is not known. Let us know if you have tried it and whether it worked or not!

Compatibility List

Note that accessing supported versions of this software requires a Moonshot compatible client - see the next section for details on which clients are supported.

Note

Any versions not listed below list have not yet been tested. If you do so, please let us know!

OS versionCompatible?Packages Available?Notes
CentOS 6(tick)(tick)Using our pre-compiled package. Re-compiling instructions available.
Debian 7(tick)(tick)Using our pre-compiled package.
Debian 8(tick) Building instructions available.
RHEL 6(tick)(tick)Using our pre-compiled package. Re-compiling instructions available.
Scientific Linux 6 (tick)(tick)Using our pre-compiled package. Re-compiling instructions available.
Ubuntu 12.04 LTS(tick)(tick)Using our pre-compiled package for Debian 7
Ubuntu 14.04 LTS(tick) Building instructions available.

Installation

& Configuration

Instructions

How you set up a Moonshot-enabled version of the OpenSSH server will differ depending on your OS. See the relevant pages for your particular distribution:

Building Instructions

Although we endeavour to supply packages in our own repositories, we also provide build instructions for popular distributions.

Client Compatibility

The following clients are known to work with this server software using Moonshot authentication (click on the link to see further information about enabling Moonshot in that client):

Next Steps

Once you have installed the software, what happens next?

Account Mapping

Configuration Instructions

Tip
Read our General account mapping advice page before you go any further to get an overview of the general options available for mapping federation provided identities to local accounts.

Mapping to an account specified in a SAML attribute

Moonshot uses Shibboleth libraries to parse RADIUS and SAML attributes - SAML assertions can be embedded inside RADIUS responses by the IdP, allowing an IdP to exercise a very fine-grained authorisation policy. One potential use of this is to allow the Moonshot IdP to specify which account the user should log in to your SSH server as. To do this, it passes across a username in a SAML attribute and your server maps that to a local user account (via local-login-user).

  1. Edit /etc/shibboleth/shibboleth2.xml and insert the following lines if they don't exist (note that this should go directly after the opening <SPConfig ... clockSkew="180"> stanza:

    Code Block
    linenumberstrue
    <Extensions>
    	<Library path="plugins.so" fatal="true" />
    </Extensions>
  2. Edit /etc/shibboleth/attribute-map.xml and find the SAML attribute that the Moonshot IdP will be sending you that contains the username.

    Tip
    titleExample

    We want to map from the incoming SAML2 representation of "eduPersonEntitlement"

    Code Block
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
  3. Change the id of the attribute to "local-login-user".

    Tip
    titleExample

    We change the attribute defining the SAML2 representation of "eduPersonEntitlement" such that its id becomes "local-login-user"

    Code Block
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="local-login-user"/>
    Info
    In the standard Moonshot distribution, SSH will look for local-login-user to determine who to authenticate the user as. This attribute mapping will be managed by the XML assertion in the FreeRADIUS reply for a successful authentication.

Mapping to an account specified in the RADIUS User-Name attribute

Moonshot uses Shibboleth libraries to parse RADIUS and SAML attributes. Like the above SAML option, Moonshot can parse a RADIUS attribute (such as the User-Name attribute) and your server maps that to a local user account (via local-login-user).

Edit /etc/shibboleth/shibboleth2.xml and insert the following lines if they don't exist (note that this should go directly after the opening <SPConfig ... clockSkew="180"> stanza

Anchor
openssh_server_configuration
openssh_server_configuration
Once installed, the Moonshot-enabled OpenSSH server will still need a few quick tweaks in order to turn on the Moonshot support.

  1. Ensure that /etc/radsec.conf  and the certificates referenced in it can be read by the SSH user:

    Code Block
    languagebash
    linenumberstrue
    su - --shell=/bin/bash sshd
    cat /etc/radsec.conf
    cat path_to_ca.pem
    cat path_to_client.pem
    cat path_to_client.key

    If they cannot be read by the SSH user, add the SSH user to the group that can read the certificates.

  2. Configure the OpenSSH server to use GSSAPI by editing /etc/ssh/sshd_config. Check the following lines are present and uncommented:

    Code Block
    linenumberstrue
    <Extensions>GSSAPIAuthentication 	<Library path="plugins.so" fatal="true" />
    </Extensions>
  3. Then find the line <AttributeExtractor type="XML" ...> further down in the file, duplicate it and modify the duplicate as follows:

    Code Block
    linenumberstrue
    <AttributeExtractor type="GSSAPI" validate="true" reloadChanges="false" path="attribute-map.xml">
    Tip

    You may want to store your GSSAPI attributes in a separate file. In this case, amend the path above to the new file.

  4. Edit /etc/shibboleth/attribute-map.xml and find the first attribute line that does not use an AttributeDecoder.

    Tip
    titleExample

    We will duplicate the incoming SAML2 representation of "eduPersonEntitlement"

    Code Block
    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
  5. Duplicate the line. The name format for GSSAPI attributes is somewhat different. It does not use the OID namespace; instead it uses the IETF namespace. The attribute name is also different.

    Tip
    titleExample

    We change the attribute defining the SAML2 representation of "eduPersonEntitlement" such that its id becomes "local-login-user" and it uses a different namespace

    Code Block
    <GSSAPIAttribute name="urn:ietf:params:gss:radius-attribute 1" id="local-login-user"/>
    Info

    The numeral 1 in the name of the attribute refers to RADIUS attribute 1, which is the User-Name. A more extensive compendium of attribute numbers is available at IANA's number registry.

     

     

    Info
    In the standard Moonshot distribution, SSH will look for local-login-user to determine who to authenticate the user as. This attribute mapping will be managed by the XML assertion in the FreeRADIUS reply for a successful authentication.

Further mapping options

To Come!

 

 

  1. yes
    GSSAPIKeyExchange no
    GSSAPIStrictAcceptorCheck yes
    


    Warning
    titleGSSAPIStrictAcceptorCheck

    If your SSH server has a different hostname to the one given publicly (for example, you have CNAME entries you give to your users instead of the internal name), you must switch the GSSAPIStrictAcceptorCheck to no. Disabling (commenting out) the check configuration defaults it to yes.


    Warning
    titleCentOS 6 and UsePrivilegeSeparation

    OpenSSH server versions before 6.6p1 cannot use Moonshot authentication when UsePrivilegeSeparation is switched to yes or sandbox. You must switch UsePrivilegeSeparation to no on those versions.


  2. Restart the OpenSSH server.
  3. Configure the OpenSSH Client.

Account Mapping

Tip
Read our General account mapping advice page before you go any further to get an overview of the general options available for mapping federation provided identities to local accounts.

Moonshot functions by using SAML or RADIUS attributes to convey user information. You can use one or multiple attributes to check which account the user should log into your SSH Server as. We have made available two versions of the Moonshot mechanism, one by default uses Shibboleth libraries, while the other uses internal JSON attribute resolution. 

To read more about this, visit Configure a Linux Server's Attribute Resolution, and use either mechanism to configure the attribute 'local-login-user' which the SSH server will use to establish the account to log in with.