Moonshot-enabling the Linux Console requires the use of pam_gss, a PAM module that brings Moonshot compatibility to PAM. Unfortunately, pam_gss works in a way that is not recommended with Moonshot - the client device is not under the direct control of the user, and with pam_gss the device is both the client and the server. The consequence of this is that the user's credentials (NAI and password) are exposed directly to a device which is not the user's. Thus, this should only be deployed where the implications and the risk are fully understood:
- Deployers should understand that the credentials of users using the device could be exposed on that device.
- Users should understand that their credential could be exposed and should thus do it only on devices managed by organisations they trust.
Due to the severity of this problem, the Moonshot project does not officially distribute pam_gss packages. Members of the community have made them available, however. The instructions on this page walk you through configuring GNOME using this community-provided code, but again - only do so if you understand the consequences.
All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).
1. System Preparation
1.1. Add the Moonshot libraries.
If you have not already done so, you first need to follow the instructions on how to configure a RHEL 6 / CentOS 6 / Scientific Linux 6 client.
1.2. Install pam_gss
pam_gss is a PAM module written by Luke Howard (see the pam_gss homepage). The easiest way to install it on RHEL/CentOS/SL 6 is to use Stefan Paetow's pre-compiled pam_gss RPM, available via his Dropbox. Download the zip file, unzip, and install the RPM.
2. Installation Instructions
This software does not require any special installation instructions - install it as you normally would.
3. Configuration Instructions
We need to now configure the Console PAM stack to try Moonshot authentication.
/etc/pam.d/loginfor editing (you might want to make a backup of this file first).
Before the "auth include system-auth" part of the file, insert the following line: