RHEL 6 / CentOS 6 / Scientific Linux 6 (RHEL/CentOS/SL 6) does not ship with a version of OpenSSH that is compatible with Moonshot (they ship with a non-Moonshot-enabled v5.3 of OpenSSH). To get Moonshot support for it, you must install a specific Moonshot-enabled version (v5.9). We have a precompiled version available in our repositories.
Contents
All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).
The instructions on this page will replace the system provided OpenSSH packages with the Moonshot enabled ones (don't worry, standard SSH things will still work!)
Following the instructions on this page will give you a Moonshot-enabled OpenSSH Server only.
1. System Preparation
1.1. Add the Moonshot libraries.
If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on RHEL/CentOS/SL 6.
1.2. Add the Moonshot OpenSSH Repository
We've moved the OpenSSH packages from the main Moonshot repository into their own, so add the Moonshot RedHat OpenSSH repository to your system by creating a new file at
/etc/yum.repos.d/moonshot.repo
with the following content:[Moonshot-OpenSSH] name=Moonshot-OpenSSH baseurl=http://repository.project-moonshot.org/rpms/centos6-openssh/ failovermethod=priority gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/Moonshot
1.3. Ensure that your hostname is correct
The channel bindings check requires that the hostname of your SSH server match the hostname people are SSHing to. That is, the output of the "hostname" and "hostname -f" commands should match the FQDN of the server. If it doesn't, change the relevant line in /etc/sysconfig/network
to make it so.
2. Installation Instructions
Install the Moonshot-enabled pre-compiled OpenSSH packages using yum. This will replace the system provided OpenSSH.
$ yum --disablerepo=updates,base downgrade ssh openssh-server openssh-client openssh-askpass openssh
3. Configuration Instructions
Once installed, the Moonshot-enabled OpenSSH server will still need a few quick tweaks in order to turn on the Moonshot support.
Configure the OpenSSH server to use Moonshot by editing
/etc/ssh/sshd_config
. Check the following lines are present and uncommented:UsePrivilegeSeparation no GSSAPIAuthentication yes GSSAPIKeyExchange yes GSSAPIStrictAcceptorCheck yes
Now restart the OpenSSH server
$ /etc/init.d/sshd restart
Configure the OpenSSH Client.