Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »

This page documents a script currently under development.  The document will be updated with information on how to download the script when it is tested and complete.

Background

Moonshot has a number of steps that need to be performed to ensure that things work smoothly.  This can be done in an automated fashion - i.e. using a script to verify that certain important but easy to confirm things are in place.

Usage

$ moonshot-readiness
usage: moonshot-readiness [task] [task]...
 
  Available tasks:
    minimal (default)
    client
    rp
    rp-proxy
    idp-proxy
    ssh-client
    ssh-server
 
$ moonshot-readiness client ssh-client
  Testing task basic...
    Hostname is fqdn...                             [OKAY]
    Supported OS...                                 [OKAY]
    Moonshot repositories configured...             [FAIL]
 
  Testing task client...
    gss/mech...                                     [OKAY]
    mech_eap.so in library path...                  [FAIL]
 
  Testing task ssh-client...
    GSSAPIAuthentication...                         [FAIL]
    GSSAPIKeyExchange...                            [OKAY]
 
  Test complete, failed tests:
    Moonshot repositories configured:
      Without the moonshot repositories configured, you will not be able to update to the latest versions of the moonshot code.
    mech_eap.so in library path:
      mech_eap.so was not found in your ld configuration - this may mean you've installed the Moonshot libraries in a non-default location.
    GSSAPIAuthentication:
      Your SSH client is not configured for GSSAPI authentication. Moonshot will not work. 

Structure

Each 'task' defines a number of items to check, what the valid response is, and a message to display in the event of the test failing. Tasks also list a parent tast that they depend on, (i.e. ssh-client depends on client, which in turn depends on basic, which means when testing for ssh-client).  Fatal failed tests should be displayed as FAIL, non-fatal as WARN, and successful tests as OKAY.

Tasks

TaskDependencyDescription
basicnoneBasic set of test, required for Moonshot to function at all in any capacity
clientbasicFundamental tests required for Moonshot to function as a client
rpbasicFundamental tests required for Moonshot to function as an RP
rp-proxyrpTests required for Moonshot to function as a RadSec RP
idprpTests to verify if FreeRADIUS is correctly configured
openssh-clientclientTests to verify if the openssh-client is correctly configured
openssh-rprpTests to verify if the openssh-server is correctly configured
httpd-clientclientTests to verify if mod-auth-gssapi is correctly configured
httpd-rprpTests to verify if mod-auth-gssapi is correctly configured

 

Tests

IDTaskTitleDebian MethodRHEL MethodFailure TextERROR
1basicHostname is FQDNCheck that the value returned by hostname is an FQDN using dig.Your servers hostname is not fully qualified or resolvable. This is required in order to prevent certain classes of attack.ERROR
2basicSupported OS

Check 'uname -s', 'uname -r', 'uname -m', '/etc/issue', '/etc/*-release' to deterimine if the OS is one of:

  • Debian 6+
  • RHEL 6
  • CentOS 6
  • Scientific Linux 6
You are not running a supported OS. Moonshot may not work as indicated in the documentation.WARN
3basicMoonshot repository configurationCheck apt-cache policy for the moonshot repositories.Check yum repolist for the moonshot repositoriesThe Moonshot repositories do not appear to exist on this system. You will not be able to upgrade Moonshot using your distributions package manager.WARN
4basicMoonshot Signing KeyCheck apt-key list for the moonshot signing key. The Moonshot repository key is not installed, you will have difficulty updating packages.WARN
5basicCurrent versionUsing yum update, are there any pending updates from the moonshot repository.using apt-get upgrade, are there any pending updates from the moonshot repository.You are not running the latest version of the Moonshot software.WARN
6rp/etc/radsec.confCheck that radsec.conf exists/etc/radsec.conf could not be found - you may not be able to communicate with your rp-proxy.ERROR
7rp-proxyAPCUsing nc, check to see if port 2083 is open on apc.moonshot.ja.netapc.moonshot.ja.net does not seem to be accessible. Please check the servers network connection, and see status.moonshot.ja.net for any downtime or maintenance issues.ERROR
8rp-proxyTrust RouterUsing nc, check to see if port 12309 is open on tr1.moonshot.ja.nettr1.moonshot.ja.net does not seem to be accessible. Please check the servers network connection, and see status.moonshot.ja.net for any downtime or maintenance issues.ERROR
9rp-proxyflatstore-users

Does /etc/moonshot/flatstore-users contain:

  • root
  • freerad
/etc/moonshot/flatstore-users could not be found, or does not contain all the user accounts it needs to. You may be unable to authenticate to the trust router.ERROR
10rp-proxyTrust IdentityDoes /etc/freeradius/.local/share/moonshot-ui/identities.txt exist?Does /etc/raddb/.local/share/moonshot-ui/identities.txt exist?No trust identity could be found for the freeradius user account. You will not be able to authenticate to the trust router.ERROR
11idpPort 2083Using nc, check to see if port 2083 is open on the current hostPort 2083 appears to be closed. RP's will not be able to initiate connections to your IDP.ERROR
12idpPort 12309Using nc, check to see if port 12309 is open on the current hostPort 12309 appears to be closed. The trust router will not be able to initiate connections to your IDP.ERROR
13idpflatstore-users

Does /etc/moonshot/flatstore-users contain:

  • root
  • freerad
/etc/moonshot/flatstore-users could not be found, or does not contain all the user accounts it needs to. You may be unable to authenticate to the trust router.ERROR
14idpTrust IdentityDoes /etc/freeradius/.local/share/moonshot-ui/identities.txt exist?Does /etc/raddb/.local/share/moonshot-ui/identities.txt exist?No trust identity could be found for the freeradius user account. You will not be able to authenticate to the trust router.ERROR
15clientgss/mech

Does /usr/etc/gss/mech exist, does it have permissions of 644, and does it contain the following lines:

  • eap-aes128 1.3.6.1.5.5.15.1.1.17 mech_eap.so
  • eap-aes256 1.3.6.1.5.5.15.1.1.18 mech_eap.so

Does /etc/gss/mech exist, does it have permissions of 644, and does it contain the following lines:

  • eap-aes128 1.3.6.1.5.5.15.1.1.17 mech_eap.so
  • eap-aes256 1.3.6.1.5.5.15.1.1.18 mech_eap.so
The Moonshot mech file is missing mech_eap.so will not be loaded.ERROR
16ssh-clientGSSAPIAuthentication enabledUsing augeas verify that /etc/ssh/ssh_config has 'GSSAPIAuthentication' set to 'yes'GSSAPIAuthentication must be enabled for Moonshot to function when using SSH.ERROR
17ssh-clientGSSAPIKeyExchange enabledUsing augeas verify that /etc/ssh/ssh_config has 'GSSAPIKeyExchange' set to 'yes'GSSAPIKeyExchange should be enabled for Moonshot to function correctly when using SSH.WARN
18ssh-serverPrivilege separation disabledUsing augeas verify that /etc/ssh/sshd_config has UsePrivilegeSeperation set to 'no'

Moonshot currently requires that OpenSSH server has privilege separation disabled.ERROR
19ssh-serverGSSAPIAuthenticationUsing augeas verify that /etc/ssh/sshd_config has GSSAPIAuthentication set to 'yes'GSSAPIAuthentication must be enabled for Moonshot to function when using SSH.ERROR

Dependencies

DependencyAvailableUsage 

augeas

apt-get install augeas-tools

http://augeas.net/

Tool for parsing configuration files

# Parse configuration file
$ augtool /path/to/configuration.file
 

dig

apt-get install dnsutils

Tool for querying DNS servers

# Forward Query
$ dig +short @dns.server.address address.to.query.com RECORD
# Reverse Query
$ dig -x +short @dns.server.address x.x.x.x 
 

hostname

apt-get install hostname

Tool for querying the system hostname

# query hostname
$ hostname -f
 

nc

apt-get install netcat

Tool for basic TCP/IP operations

# Test if tcp port is open
$ nc -zv host.address.com 12309
 

apt

-

Tool for querying the apt package database

# Query the apt database for configured repositories
$ apt-cache policy
# Query for pending updates
$ apt-get -u upgrade --assume-no
 

yum

-

Tool for querying the rpm package database

# Query the list of configured repository
$ yum repolist
# Query for pending updates
$ yum check-update
 
  • No labels