| Warning | ||
|---|---|---|
| ||
This page is obsolete. Please, refer to Linux PAM_GSS module (pam_gss) instead. |
| Panel | |
|---|---|
The Linux Console is the text-based interface to a Linux system. Contents
|
...
| Numberedheadings | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
OverviewMoonshot-enabling the Linux console is achieved through the use of a PAM module. CompatibilityKeyIn the tables below, the following icons have the following meanings:
Compatibility ListAny versions not listed below have not yet been tested. If you do so, please let us know!
|
| RHEL 6 |
| Scientific Linux 6 |
Installation & Configuration
How you set up a Moonshot-enabled version of the Linux Console will differ depending on your OS. See the relevant pages for your particular distribution:
Next Steps
Account Mapping
Moonshot by default uses Shibboleth libraries to parse RADIUS and SAML attributes - .
SAML assertions can be embedded inside RADIUS responses by the IdP, allowing an IdP to exercise a very fine-grained authorisation policy. One potential use of this is to allow the Moonshot IdP to specify which account the user should log in to your SSH server asLinux console as. RADIUS attributes, such as the User-Name attribute, are simply mapped with a special type of Shibboleth attribute. To do this, it passes across a username in a SAML attribute and your server maps that to a local user account (via local-login-user)enable the functionality in Shibboleth as follows.
Edit /etc/shibboleth/shibboleth2.xml and
modify the
followinglines
if they don't exist (note that this should go directly after the opening <SPConfig ... clockSkew="180"> stanza:
Insert these lines immediately after the opening stanza:
Modify the OutOfProcess stanza as follows:
Mapping to an account specified in a SAML attribute
To map an attribute in a SAML assertion embedded in a RADIUS response, your Linux console maps that to a local user account (via local-login-user) as follows:
Edit
/etc/shibboleth/attribute-map.xmland find the SAML attribute that the Moonshot IdP will be sending you that contains the username.Example We want to map from the incoming SAML2 representation of "eduPersonEntitlement"
Change the id of the attribute to "local-login-user".
Example We change the attribute defining the SAML2 representation of "eduPersonEntitlement" such that its id becomes "local-login-user"
In the standard Moonshot distribution, SSH will look for local-login-user to determine who to authenticate the user as. This attribute mapping will be managed by the XML assertion in the FreeRADIUS reply for a successful authentication.
Further mapping options
To Come!
Logging into the Linux Console using Moonshot
The user experience of logging into the Linux Console is different to the usual experience when using moonshot (see the warning at the start of this page).
To do so, do the following:
- At the Linux console login prompt, enter the full NAI of your username (e.g. johnsmith@example.com). Hit return.
- A Password: prompt will show. Enter the password associated with the account. Hit return.
- If successful, you should be logged into the Linux Console as the local user that your account is mapped to (see next section).
Ensure that the account that the user is being mapped to (via whatever method) actually exists beforehand!