No current version of OpenSSH currently natively supports moonshot, but patches are available for v5.3 and v5.9 of OpenSSH to fix the issues that stop it from working. Ultimately we hope that these patches will become a standard part of OpenSSH, so that OpenSSH will work without any extra work being necessary.
In the tables below, the following icons have the following meanings:
- - This version of the software has been tested and verified as supporting Moonshot.
- - This version of the software has been tested and verified as not supporting Moonshot.
- - This version of the software has not yet been tested thoroughly and its status is not known. Let us know if you have tried it and whether it worked or not!
2.2. Compatibility List
Note that accessing supported versions of this software requires a Moonshot compatible client - see the next section for details on which clients are supported.
Any versions not listed below list have not yet been tested. If you do so, please let us know!
|OS version||Compatible?||Packages Available?||Notes|
|CentOS 6||Must re-compile by hand. Instructions available.|
|Debian 7||Using our pre-compiled package.|
|RHEL 6||Must re-compile by hand. Instructions available.|
|Scientific Linux 6||Must re-compile by hand. Instructions available.|
3. Installation & Configuration Instructions
How you set up a Moonshot-enabled version of the OpenSSH server will differ depending on your OS. See the relevant pages for your particular distribution:
4. Client Compatibility
The following clients are known to work with this server software using Moonshot authentication (click on the link to see further information about enabling Moonshot in that client):
5. Next Steps
Once you have installed the software, what happens next?
5.1. Account Mapping
To Come: SSH specific account mapping advice
5.1.1. Mapping to an account specified in a SAML attribute
Moonshot uses Shibboleth libraries to parse RADIUS and SAML attributes - SAML assertions can be embedded inside RADIUS responses by the IdP, allowing an IdP to exercise a very fine-grained authorisation policy. One potential use of this is to allow the Moonshot IdP to specify which account the user should log in to your SSH server as. To do this, it passes across a username in a SAML attribute and your server maps that to a local user account (via local-login-user).
/etc/shibboleth/shibboleth2.xmland insert the following lines if they don't exist (note that this should go directly after the opening
<SPConfig ... clockSkew="180">stanza:
Edit /etc/shibboleth/attribute-map.xml and find the SAML attribute that the Moonshot IdP will be sending you that contains the username:
We want to map from the incoming SAML2 representation of "eduPersonEntitlement"
Change the id of the attribute to "local-login-user":
We change the attribute defining the SAML2 representation of "eduPersonEntitlement" such that its id becomes "local-login-user"