OpenSSH is a freely available version of the SSH connectivity tools, and is the standard version of SSH used by many linux distributions. See http://www.openssh.org/ for more information.

Contents


Overview

When using OpenSSH as an SSH client, Moonshot is natively supported provided it has been built with GSS-API support.

This is only true for OpenSSH as a client - if you want a Moonshot enabled OpenSSH server, see the OpenSSH Server section.


Alpine Linux does not build OpenSSH with GSS-API support. Hence, Alpine Linux Moonshot users will need to install the OpenSSH version from the Moonshot repository, by using:

apk add openssh-client@moonshot


Installation Instructions

This software does not require any special installation instructions - install it as you normally would.

Configuration Instructions

The OpenSSH client only needs a few quick tweaks in order to enable Moonshot support.

For more information on the SSH client configuration, visit the ssh_config(5) man page.

It is worth remembering the order in which the SSH client obtains its options, and that the first configuration value found overrides any later values.


Moonshot is a GSSAPI-based mechanism. Using any of the below configuration instructions to control Moonshot may have an undesirable effect on other GSSAPI-based mechanisms, such as Kerberos or GSI authentication.

Configuring the OpenSSH client globally

Configure the OpenSSH client to use Moonshot by editing /etc/ssh/ssh_config. Check the following lines are present and uncommented:

GSSAPIAuthentication yes
GSSAPIKeyExchange no

You can put these declarations in Host blocks if you wish them to only apply to some hosts.

Configuring the OpenSSH client locally

Configure the OpenSSH client to use Moonshot by editing ~/.ssh/config. Check the following lines are present and uncommented:

GSSAPIAuthentication yes
GSSAPIKeyExchange no

You can put these declarations in a Host block if you wish them to only apply to some hosts.

Additionally, you can change the type or order of authentication mechanisms the client tries by changing the following default option in your ~/.ssh/config file:

PreferredAuthentications "gssapi-keyex, gssapi-with-mic, hostbased, publickey, keyboard-interactive, password"

You can put your changed declaration in Host blocks if you wish it to only apply to some hosts.

For more information on how to customise the local ssh_config file to suit your preferences, visit Nerderati's page on SSH configuration. 

Configuring the OpenSSH client on the command-line

You can configure the OpenSSH client on its command-line to use Moonshot.

  1. To use GSSAPI, use the -K switch:

    ssh -K moonshot.camford.ac.uk


  2. To not use GSSAPI, use the -k switch:

    ssh -k terminals.camford.ac.uk


  3. To change the preferred authentication mechanisms for the specific host you are connecting to, use the -o switch with the PreferredAuthentications option:

    ssh -k -o PreferredAuthentications="publickey,password" terminals.camford.ac.uk


Credential forwarding and proxying

The standard OpenSSH client supports proxying. While the Moonshot standards currently do not support credential forwarding or credential delegation, we recommend using the OpenSSH ProxyCommand option together with either the netcat(1) utility or the -W option to forward your Moonshot credentials securely along the chain of hosts to authenticate with Moonshot.

  1. Configure the OpenSSH configuration to set the ProxyCommand by editing ~/.ssh/config:

    Host your.final.host
    ProxyCommand ssh -X -K username_on_intermediate_host@intermediate.host nc %h %p 2>/dev/null


    Host your.final.host
    ProxyCommand ssh -X -K username_on_intermediate_host@intermediate.host -W %h:%p 2>/dev/null


    When using the Moonshot Identity Selector to store your credentials, you must use the -X switch in the ProxyCommand command-line to forward X11 connections.


    To create a chain of intermediate proxies, create separate Host entries to set up different proxy connections.


  2. To initiate your connection to the end host, simply connect to it with the usual command-line:

    ssh username@your.final.host


    When using the nulluser patch (included in the build of OpenSSH in the Moonshot repository), specifying the -l "" option will function throughout the proxy chain.


For more information on SSH proxy forwarding, see SSHMenu: Transparent Multihop.

Server Compatibility

The following servers are known to work with this server software using Moonshot authentication (click on the link to see further information about enabling Moonshot in that server):