GNOME is a desktop environment which is composed entirely of free and open-source software. See GNOME's website for more details.
Moonshot-enabling GNOME requires the use of pam_gss, a PAM module that brings Moonshot compatibility to PAM. Unfortunately, pam_gss works in a way that is not generally recommended with Moonshot - the client device is not under the direct control of the user, and with pam_gss the device is both the client and the server. The consequence of this is that the user's credentials (NAI and password) are exposed directly to a device which may not be under the user's control. Thus, this should only be deployed where the implications and the risk are fully understood:
Due to the severity of this problem, the Moonshot project does not officially distribute pam_gss packages. Members of the community have made them available, however. The instructions on this page walk you through configuring GNOME using this community-provided code, but again - only do so if you understand the consequences.
Only GNOME 2 has so far be tested with Moonshot.
In the tables below, the following icons have the following meanings:
Installation & Configuration
How you set up a Moonshot-enabled version of GNOME will differ depending on your OS. See the relevant pages for your particular distribution:
Moonshot by default uses Shibboleth libraries to parse RADIUS and SAML attributes.
SAML assertions can be embedded inside RADIUS responses by the IdP, allowing an IdP to exercise a very fine-grained authorisation policy. One potential use of this is to allow the Moonshot IdP to specify which account the user should log in to your GNOME environment as. RADIUS attributes, such as the
Mapping to an account specified in a SAML attribute
To map an attribute in a SAML assertion embedded in a RADIUS response, your GNOME environment maps that to a local user account (via
Further mapping options
Logging into GNOME using Moonshot
The user experience of logging into GNOME is different to the usual experience when using Moonshot (see the warning at the start of this page).
To do so, do the following: