Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numbered Headings

System Preparation

Add the Moonshot libraries.

If you have not already done so, you first need to follow the instructions on how to configure a Install Moonshot Libraries on a Linux Client

Installation Instructions

Install pam_gss

Code Block
titleCentOS / RH / SL
linenumberstrue
yum install pam_gss


Code Block
titleDebian / Ubuntu
linenumberstrue
apt-get install libpam-gss

Configure the .gss_eap_authorized_anchors file

Since the PAM module does not make use of the Moonshot UI, a static list of IDP's certificate fingerprints needs to be configured in order to avoid pam_gss accepting a malicious entity impersonating end user's IDP.

That is achieved by creating the file .gss_eap_authorized_anchors in the /root directory. Its format is as follows:

Code Block
REALM:FINGERPRINT
REALM2:FINGERPRINT2
REALM3:FINGERPRINT3
[...]

The realm and fingerprint portions are case-insensitive. The fingerprint is the server fingerprint, the realm is the same as the realm in the ID Selector.

Configuration Instructions

pam_gss is configured by including the following line in the desired /etc/pam.d/ configuration file, right after the execution of the pam_unix module.

Code Block
linenumberstrue
auth	sufficient	pam_gss.so ignore_unknown_user mech=1.3.6.1.5.5.15.1.1.18 try_first_pass

The configuration file depends on the application and OS you are trying to configure. In particular:

Linux console

Edit the indicated file for your system to make it match the following stanzas:

  • RH / CentOS / SL

    Code Block
    languagebash
    title/etc/pam.d/system-auth
    linenumberstrue
    ...
    auth        required      pam_env.so
    auth        sufficient    pam_unix.so try_first_pass nullok
    auth        sufficient    pam_gss.so ignore_unknown_user mech=1.3.6.1.5.5.15.1.1.18 try_first_pass
    ...


  • Debian / Ubuntu

    Code Block
    languagebash
    title/etc/pam.d/common-auth
    linenumberstrue
    ...
    # here are the per-package modules (the "Primary" block)
    auth    sufficient  pam_unix.so nullok_secure
    auth	sufficient	pam_gss.so ignore_unknown_user mech=1.3.6.1.5.5.15.1.1.18 try_first_pass
    ...


GDM

Edit the indicated file for your system to make it match the following stanzas:

  • RH / CentOS / SL

    Code Block
    languagebash
    title/etc/pam.d/password-auth
    linenumberstrue
    ...
    auth        required      pam_env.so
    auth        sufficient    pam_unix.so try_first_pass nullok
    auth        sufficient    pam_gss.so ignore_unknown_user mech=1.3.6.1.5.5.15.1.1.18 try_first_pass
    ...


    Note
    titleSElinux

    If SElinux is in Enforcing mode, GDM will not be able to access to /root/.gss_eap_authorized_anchors.

    You can workaround this limitation by running GDM in permissive mode, using the following command:

    Code Block
    linenumberstrue
    semanage permissive -a xdm_t



  • Debian / Ubuntu

    Code Block
    languagebash
    title/etc/pam.d/common-auth
    linenumberstrue
    ...
    # here are the per-package modules (the "Primary" block)
    auth    sufficient      pam_unix.so nullok_secure
    auth	sufficient	pam_gss.so ignore_unknown_user mech=1.3.6.1.5.5.15.1.1.18 try_first_pass
    ...


    Code Block
    languagebash
    title/etc/pam.d/gdm-password
    linenumberstrue
    ...
    auth    requisite       pam_nologin.so
    # Commented out since pam_gss requires this to be true
    # auth	required	pam_succeed_if.so user != root quiet_success
    @include common-auth
    ...


Note
titleScreensaver
If the screensaver locks the screen, you won't be able to unlock it using your password, as it expect's the password of the local account instead. As a workaround, you must use the "Login as a different user" and log in again. This will actually unlock the session rather than creating a new one.

Account mapping

When you authenticate using your federated identity, it must be mapped into a local account in the system. For doing so, read our General account mapping advice page before you go any further to get an overview of the general options available for mapping federation provided identities to local accounts.

Then refer to our Configure a Linux Server's Attribute Resolution page.

Logging in using pam_gss

  1. When the application requires a username, use your full NAI (e.g. johnsmith@example.com).
  2. When the application requires a password, use your password as usual.
    1. If you are using the Moonshot 2FA module, you must use your password concatenated with your OTP code (e.g. mypasswdendshere054448
  3. If successful, you should be logged in as the local user that your account is mapped to (see previous section).
Tipnote

Ensure that the account that the user is being mapped to (via whatever method) actually exists beforehand!


...