Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 32 Next »

RHEL 6 / CentOS 6 / Scientific Linux 6 (RHEL/CentOS/SL 6) does not ship with a version of OpenSSH that is compatible with Moonshot (they ship with a non-Moonshot-enabled v5.3 of OpenSSH). To get Moonshot support for it, you must install a specific Moonshot-enabled version (v5.9). We have a precompiled version available in our repositories.

Contents

All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).

The instructions on this page will replace the system provided OpenSSH packages with the Moonshot enabled ones (don't worry, standard SSH things will still work!)

Following the instructions on this page will give you a Moonshot-enabled OpenSSH Server only.

1. System Preparation

1.1. Add the Moonshot libraries

If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on RHEL/CentOS/SL 6.

1.2. Install the Yum priorities plug-in

  1. Install the Yum Priorities plugin to enable repository priority management: 

    $ yum install yum-plugin-priorities

    For more information on the yum-plugin-priorities package, please see https://wiki.centos.org/PackageManagement/Yum/Priorities

  2. Check that the yum-priorities plugin is enabled in your yum configuration:

    $ grep enabled /etc/yum/pluginconf.d/priorities.conf
    enabled = 1
    $ 
  3. If the plugin is not enabled, change the enabled line in /etc/yum/pluginconf.d/priorities.conf to 1.

1.3. Add the Moonshot OpenSSH Repository

  1. We've moved the OpenSSH packages from the main Moonshot repository into their own, so add the Moonshot RedHat OpenSSH repository to your system by creating a new file at /etc/yum.repos.d/moonshot-ssh.repo with the following content:

    [Moonshot-OpenSSH]
    name=Moonshot-OpenSSH
    baseurl=http://repository.project-moonshot.org/rpms/centos6-openssh/
    failovermethod=priority
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/Moonshot
    priority=1

1.4. Ensure that your hostname is correct

The channel bindings check requires that the hostname of your SSH server match the hostname people are SSHing to. That is, the output of the "hostname" and "hostname -f" commands should match the FQDN of the server. If it doesn't, change the relevant line in /etc/sysconfig/network to make it so.

2. Installation Instructions

  1. Install the Moonshot-enabled pre-compiled OpenSSH packages using yum. This will replace the system-provided OpenSSH:

    $ yum update openssh*
  2. If you have already installed the latest version of OpenSSH from the CentOS updates repository and its version is either the same or is newer than the version in our repository, you must use the yum downgrade command to switch the packages to our version:

    $ yum downgrade openssh*

3. Configuration Instructions

Once installed, the Moonshot-enabled OpenSSH server will still need a few quick tweaks in order to turn on the Moonshot support.

  1. Ensure that the certificates referenced in /etc/radsec.conf can be read by the SSH user:

    $ su - --shell=/bin/bash sshd
    $ cat path_to_ca.pem
    $ cat path_to_client.pem
    $ cat path_to_client.key

    If they cannot be read by the SSH user, add the SSH user to the group that can read the certificates.

  2. Configure the OpenSSH server to use Moonshot by editing /etc/ssh/sshd_config. Check the following lines are present and uncommented:

    UsePrivilegeSeparation no
    GSSAPIAuthentication yes
    GSSAPIKeyExchange yes
    GSSAPIStrictAcceptorCheck yes
    
  3. Now restart the OpenSSH server

    $ /etc/init.d/sshd restart
  4. Configure the OpenSSH Client.

  • No labels