1. System Preparation

1.1. Add the Moonshot libraries.

If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on RHEL/CentOS/SL 6.

1.2. Install prerequisites

1. You will need various packages installed in order to build OpenSSH from scratch. Install them via yum:

   $ yum install gcc openssl-devel pam-devel rpm-build autoconf automake gtk2-devel libX11-devel audit-libs-devel tcp_wrappers-devel fipscheck-devel openldap-devel libedit-devel ncurses-devel nss-devel make man xauth

1.3. Ensure that your hostname is correct

The channel bindings check requires that the hostname of your SSH server match the hostname people are SSHing to. That is, the output of the "hostname" command should match the FQDN of the server. If it doesn't, change the relevant line in /etc/sysconfig/network to make it so.

2. Installation Instructions

2.1. Get the sources and patches

1. If you do not have any rpmbuild directories already, create them now.

   $ mkdir -p ~/rpmbuild/SOURCES ~/rpmbuild/SPECS ~/rpmbuild/RPMS

2. Download the OpenSSH sources for your particular minor version of RHEL/CentOS/SL into the SOURCES directory. The sources are available at the following locations:

   • CentOS 6.5: http://vault.centos.org/6.5/os/Source/SPackages/openssh-5.3p1-94.el6.src.rpm

   • CentOS 6.4: http://vault.centos.org/6.4/os/Source/SPackages/openssh-5.3p1-84.1.el6.src.rpm

3. Navigate to the SOURCES directory and extract the source from the RPM.

   $ cd ~/rpmbuild/SOURCES && rpm -ivh openssh-5.3p1-*.src.rpm

4. Download the Moonshot patches into the SOURCES directory.

   $ curl -o openssh-nulluser.patch http://iam.cf.ac.uk/moonshot/patches/openssh/openssh-nulluser.patch && curl -o openssh-gssapi-generic.patch http://iam.cf.ac.uk/moonshot/patches/openssh/openssh-gssapi-generic.patch

5. Navigate to the SPECS directory and download the Moonshot-enabled OpenSSH spec file for your particular version of RHEL/CentOS/SL. The sources are available at the following locations:
   1. CentOS 6.5: http://iam.cf.ac.uk/moonshot/patches/openssh/openssh-6.5-94.spec
   2. CentOS 6.4: http://iam.cf.ac.uk/moonshot/patches/openssh/openssh-6.4-84.spec

6. Rename the file you downloaded to "openssh.spec", overwriting the existing copy:

   (For CentOS 6.5)

   $ mv openssh-6.5-94.spec openssh.spec

2.2. Build OpenSSH

Now we're ready to build the Moonshot-enabled version of OpenSSH.

1. Make sure you're in the SPECS directory and execute an RPM build.

   $ rpmbuild -bb openssh.spec

   If the build was successful, in your /rpmbuild/RPMS/x86_64 directory you should find RPMs for the following:

   1. • openssh
      • openssh-askpass
      • openssh-clients
      • openssh-ldap
      • openssh-server
      • pam_ssh_agent_auth

2.3. Installing your new RPMs

Now we're ready to install the new Moonshot-enabled OpenSSH packages.

2.3.1. Remove the existing OpenSSH packages

1. Remove the existing OpenSSH packages using yum.

   $ yum erase openssh openssh-askpass openssh-clients openssh-ldap openssh-server pam_ssh_agent_auth

2.3.2. Install the new OpenSSH packages

1. Install the new OpenSSH packages using rpm.

   $ rpm -Uvh ~/rpmbuild/RPMS/x86_64/openssh*rpm

2. If you backed up your existing configuration, restore it now.

3. Configuration Instructions

Once installed, the Moonshot-enabled OpenSSH server will still need a few quick tweaks in order to turn on the Moonshot support.

1. Configure the OpenSSH server to use Moonshot by editing /etc/ssh/sshd_config. Check the following lines are present and uncommented:

   UsePrivilegeSeparation no
   GSSAPIAuthentication yes
   GSSAPIKeyExchange yes
   GSSAPIStrictAcceptorCheck yes
   

2. Configure the OpenSSH client to use Moonshot by editing /etc/ssh/ssh_config. Check the following lines are present and uncommented:

   GSSAPIAuthentication yes
   GSSAPIKeyExchange yes