Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Background

Moonshot has a number of steps that need to be performed to ensure that things work smoothly.  This can be done in an automated fashion - i.e. using a script to verify that certain important but easy to confirm things are in place.

Usage

$ moonshot-readiness
usage: moonshot-readiness [task] [task]...
 
  Available tasks:
    minimal (default)
    client
    rp
    rp-proxy
    idp-proxy
    ssh-client
    ssh-server
 
$ moonshot-readiness client ssh-client
  Testing task basic...
    Hostname is fqdn...                             [OKAY]
    Supported OS...                                 [OKAY]
    Moonshot repositories configured...             [FAIL]
 
  Testing task client...
    gss/mech...                                     [OKAY]
    mech_eap.so in library path...                  [FAIL]
 
  Testing task ssh-client...
    GSSAPIAuthentication...                         [FAIL]
    GSSAPIKeyExchange...                            [OKAY]
 
  Test complete, failed tests:
    Moonshot repositories configured:
      Without the moonshot repositories configured, you will not be able to update to the latest versions of the moonshot code.
    mech_eap.so in library path:
      mech_eap.so was not found in your ld configuration - this may mean you've installed the Moonshot libraries in a non-default location.
    GSSAPIAuthentication:
      Your SSH client is not configured for GSSAPI authentication. Moonshot will not work. 

Structure

Each 'task' defines a number of items to check, what the valid response is, and a message to display in the event of the test failing. Tasks also list a parent tast that they depend on, (i.e. ssh-client depends on client, which in turn depends on basic, which means when testing for ssh-client).  Fatal failed tests should be displayed as FAIL, non-fatal as WARN, and successful tests as OKAY.

Tasks

TaskDependancyDescription
basicnoneBasic set of test, required for Moonshot to function at all in any capacity
clientbasicFundamental tests required for Moonshot to function as a client
rpbasicFundamental tests required for Moonshot to function as an RP
rp-proxyrpTests required for Moonshot to function as a RadSec RP
idprpTests to verify if FreeRADIUS is correctly configured
openssh-clientclientTests to verify if the openssh-client is correctly configured
openssh-rprpTests to verify if the openssh-server is correctly configured
httpd-clientclientTests to verify if mod-auth-gssapi is correctly configured
httpd-rprpTests to verify if mod-auth-gssapi is correctly configured

 

Tests

TaskTitleDebian MethodRHEL MethodFailure TextERROR
basicHostname is FQDNWhen hostname is called, the value returned must be an FQDN, resolvable via DNS.Your servers hostname is not fully qualified or resolvable. This is required in order to prevent certain classes of attack.ERROR
basicSupported OS

Check 'uname -s', 'uname -r', 'uname -m', '/etc/issue', '/etc/*-release' to deterimine if the OS is one of:

  • Debian 6+
  • RHEL 6
  • CentOS 6
  • Scientific Linux 6
You are not running a supported OS. Moonshot may not work as indicated in the documentation.WARN
basicMoonshot repository configurationCheck apt-cache policy for the moonshot repositories.Check yum repolist for the moonshot repositoriesThe Moonshot repositories do not appear to exist on this system. You will not be able to upgrade Moonshot using your distributions package manager.WARN
basicCurrent versionUsing yum update, are there any pending updates from the moonshot repository.using apt-get upgradeYou are not running the latest version of the Moonshot software.WARN
clientgss/mech

Is /usr/etc/gss/mech exist, does it have permissions of 644, and does it contain the following lines:

  • eap-aes128 1.3.6.1.5.5.15.1.1.17 mech_eap.so
  • eap-aes256 1.3.6.1.5.5.15.1.1.18 mech_eap.so

Does /etc/gss/mech exist, does it have permissions of 644, and does it contain the following lines:

  • eap-aes128 1.3.6.1.5.5.15.1.1.17 mech_eap.so
  • eap-aes256 1.3.6.1.5.5.15.1.1.18 mech_eap.so
The Moonshot mech file is missing mech_eap.so will not be loaded.ERROR
ssh-clientGSSAPIAuthentication enabledUsing augeas and /etc/ssh/ssh_config, is 'GSSAPIAuthentication' set to 'yes'GSSAPIAuthentication must be enabled for Moonshot to function when using SSH.ERROR
ssh-clientGSSAPIKeyExchange enabledUsing augeas and /etc/ssh/ssh_config, is 'GSSAPIKeyExchange' set to 'yes'GSSAPIKeyExchange should be enabled for Moonshot to function correctly when using SSH.WARN
ssh-serverPrivilege separation disabledUsing augeas and /etc/ssh/sshd_config is UsePrivilegeSeperation set to 'no'

Moonshot currently requires that OpenSSH server has privilege separation disabled.ERROR
ssh-serverGSSAPIAuthenticationUsing augeas and /etc/ssh/sshd_config, is GSSAPIAuthentication set to 'yes'GSSAPIAuthentication must be enabled for Moonshot to function when using SSH.ERROR
      
      

Dependancies

DependancyAvailable  
Augeasapt-get install au  
    
    
  • No labels