Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numbered Headings

Overview

When using OpenSSH as an SSH client, Moonshot is natively supported.

Warning

This is only true for OpenSSH as a client - if you want a Moonshot enabled OpenSSH server, see the OpenSSH Server section.

Compatibility List

Note

Any versions of Linux not in the below list have not yet been tested. If you do so, please let us know!

OS versionCompatible?Notes
CentOS 6(tick) 
CentOS 7(tick) 
Debian 7(tick) Debian 8(tick) 
RHEL 6(tick) 
RHEL 7(tick) 
Scientific Linux 6 (tick) 
Ubuntu 12.04 LTS(tick) 
Ubuntu 14.04 LTS(tick) 

Installation Instructions

This software does not require any special installation instructions - install it as you normally would.

Configuration Instructions

The OpenSSH client only needs a few quick tweaks in order to enable Moonshot support.

For more information on the SSH client configuration, visit the ssh_config(5) man page.

Tip

It is worth remembering the order in which the SSH client obtains its options, and that the first configuration value found overrides any later values.

Warning
titleOther GSSAPI authentication mechanisms

Moonshot is a GSSAPI-based mechanism. Using any of the below configuration instructions to control Moonshot may have an undesirable effect on other GSSAPI-based mechanisms, such as Kerberos or GSI authentication.

Configuring the OpenSSH client globally

Configure the OpenSSH client to use Moonshot by editing /etc/ssh/ssh_config. Check the following lines are present and uncommented:

Code Block
linenumberstrue
GSSAPIAuthentication yes
GSSAPIKeyExchange no

You can put these declarations in Host blocks if you wish them to only apply to some hosts.

Configuring the OpenSSH client locally

Configure the OpenSSH client to use Moonshot by editing ~/.ssh/config. Check the following lines are present and uncommented:

Code Block
linenumberstrue
GSSAPIAuthentication yes
GSSAPIKeyExchange no

You can put these declarations in a Host block if you wish them to only apply to some hosts.

Additionally, you can change the type or order of authentication mechanisms the client tries by changing the following default option in your ~/.ssh/config file:

Code Block
linenumberstrue
PreferredAuthentications "gssapi-keyex, gssapi-with-mic, hostbased, publickey, keyboard-interactive, password"

You can put your changed declaration in Host blocks if you wish it to only apply to some hosts.

For more information on how to customise the local ssh_config file to suit your preferences, visit Nerderati's page on SSH configuration. 

Configuring the OpenSSH client on the command-line

You can configure the OpenSSH client on its command-line to use Moonshot.

  1. To use GSSAPI, use the -K switch:

    Code Block
    ssh -K moonshot.camford.ac.uk
  2. To not use GSSAPI, use the -k switch:

    Code Block
    ssh -k terminals.camford.ac.uk
  3. To change the preferred authentication mechanisms for the specific host you are connecting to, use the -o switch with the PreferredAuthentications option:

    Code Block
    titleUsing public key and password authentication first
    ssh -k -o PreferredAuthentications="publickey,password" terminals.camford.ac.uk

Credential forwarding and proxying

The standard OpenSSH client supports proxying. While the Moonshot standards currently do not support credential forwarding or credential delegation, we recommend using the OpenSSH ProxyCommand option together with either the netcat(1) utility or the -W option to forward your Moonshot credentials securely along the chain of hosts to authenticate with Moonshot.

  1. Configure the OpenSSH configuration to set the ProxyCommand by editing ~/.ssh/config:

    Code Block
    titleUsing netcat(1)
    Host your.final.host
    ProxyCommand ssh -X -K username_on_intermediate_host@intermediate.host nc %h %p 2>/dev/null
    Code Block
    titleUsing -W
    Host your.final.host
    ProxyCommand ssh -X -K username_on_intermediate_host@intermediate.host -W %h:%p 2>/dev/null
    Info
    When using the Moonshot Identity Selector to store your credentials, you must use the -X switch in the ProxyCommand command-line to forward X11 connections.
    Info

    To create a chain of intermediate proxies, create separate Host entries to set up different proxy connections.

  2. To initiate your connection to the end host, simply connect to it with the usual command-line:

    Code Block
    languagebash
    ssh username@your.final.host
    Info

    When using the nulluser patch (included in the build of OpenSSH in the Moonshot repository), specifying the -l "" option will function throughout the proxy chain.

For more information on SSH proxy forwarding, see SSHMenu: Transparent Multihop.

Server Compatibility

The following servers are known to work with this server software using Moonshot authentication (click on the link to see further information about enabling Moonshot in that server):