Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numberedheadings

System Preparation

Add the Moonshot libraries

If you have not already done so, you first need to follow the instructions on how to configure a 

Installation Instructions

Install pam_gss

Install the pam_gss packages using one of the following commands, according to your OS distribution.

CentOS / RH / SLtruetrue


Debian / Ubuntu / Raspbiantruetrue


Alpine Linuxtruetrue

Configure the .gss_eap_authorized_anchors file

Since the PAM module does not make use of the , a static list of IDP's certificate fingerprints needs to be configured in order to avoid pam_gss accepting a malicious entity impersonating end user's IDP.

That is achieved by creating the file .gss_eap_authorized_anchors in the /root directory. Its format is as follows:

The realm and fingerprint portions are case-insensitive. The fingerprint is the , the realm is the same as the realm in the .

Configuration Instructions

pam_gss is configured by including the following line in the desired /etc/pam.d/ configuration file, right after the execution of the pam_unix module.

true

The configuration file depends on the application and OS you are trying to configure. In particular:

Linux console

Edit the indicated file for your system to make it match the following stanzas:

  • RH / CentOS / SL

    bash/etc/pam.d/system-authtrue


  • Debian / Ubuntu / Raspbian

    bash/etc/pam.d/common-authtrue


  • Alpine Linux


    bash/etc/pam.d/base-authtrue


GDM

Edit the indicated file for your system to make it match the following stanzas:

  • RH / CentOS / SL

    bash/etc/pam.d/password-authtrue


    SElinux

    If SElinux is in Enforcing mode, GDM will not be able to access to /root/.gss_eap_authorized_anchors.

    You can workaround this limitation by running GDM in permissive mode, using the following command:

    true



  • Debian / Ubuntu / Raspbian

    bash/etc/pam.d/common-authtrue


    bash/etc/pam.d/gdm-passwordtrue


ScreensaverIf the screensaver locks the screen, you won't be able to unlock it using your password, as it expect's the password of the local account instead. As a workaround, you must use the "Login as a different user" and log in again. This will actually unlock the session rather than creating a new one.

Account mapping

When you authenticate using your federated identity, it must be mapped into a local account in the system. For doing so, read our General account mapping advice page before you go any further to get an overview of the general options available for mapping federation provided identities to local accounts.

Then refer to our  page.

Logging in using pam_gss

  1. When the application requires a username, use your full NAI (e.g. johnsmith@example.com).
  2. When the application requires a password, use your password as usual.
    1. If you are using the Moonshot 2FA module, you must use your password concatenated with your OTP code (e.g. mypasswdendshere054448)
  3. If successful, you should be logged in as the local user that your account is mapped to (see previous section).

Ensure that the account that the user is being mapped to (via whatever method) actually exists beforehand!


...