The Linux Console is the text-based interface to a Linux system.
Moonshot-enabling the Linux Console requires the use of pam_gss, a PAM module that brings Moonshot compatibility to PAM. Unfortunately, pam_gss necessarily has to work in a way that is not generally recommended with Moonshot - the client device is not under the direct control of the user, and with pam_gss the device is both the client and the server. The consequence of this is that the user's credentials (NAI and password) are exposed directly to a device which is not the user's. Thus, this should only be deployed where the implications and the risk are fully understood:
Due to the severity of this problem, the Moonshot project does not officially distribute pam_gss packages. Members of the community have made them available, however. The instructions on this page walk you through configuring GNOME using this community-provided code, but again - only do so if you understand the consequences.
Moonshot-enabling the Linux console is achieved through the use of a PAM module.
In the tables below, the following icons have the following meanings:
Installation & Configuration
How you set up a Moonshot-enabled version of the Linux Console will differ depending on your OS. See the relevant pages for your particular distribution:
Moonshot by default uses Shibboleth libraries to parse RADIUS and SAML attributes.
SAML assertions can be embedded inside RADIUS responses by the IdP, allowing an IdP to exercise a very fine-grained authorisation policy. One potential use of this is to allow the Moonshot IdP to specify which account the user should log in to your Linux console as. RADIUS attributes, such as the
Mapping to an account specified in a SAML attribute
To map an attribute in a SAML assertion embedded in a RADIUS response, your Linux console maps that to a local user account (via
Further mapping options
Logging into the Linux Console using Moonshot
The user experience of logging into the Linux Console is different to the usual experience when using moonshot (see the warning at the start of this page).
To do so, do the following: