The Moonshot source code is available from our GIT repository and it all can be built by hand relatively easier, assuming you have all of the prerequisite packages installed. This page has instructions for building the software itself.
Contents
Still under revision
This page is still under revision and may change at short notice. This page may also be updated with Sierra instructions where applicable.
1. System Preparation
1.1. Requirements
To build all of the Moonshot components, you need various packages installed. To install all of these, see below.
1.1.1. Get the required packages on macOS
To get all of the requirements on your macOS platform, you will need to install Xcode, the Xcode command-line extensions, and several GNU tools:
Install Xcode from the Mac App Store.
Open a Terminal, then install the Xcode Command Line Tools. You will be prompted with a dialog to install the Command Line Tools after a 130MB download.
$ xcode-select --install
Install the GNU tools that are required for Moonshot by following the instructions at How to install Autoconf, Automake and related tools on Mac OS X from source?
Install GNU GetText:
$ curl -O -L http://ftpmirror.gnu.org/gettext/gettext-latest.tar.gz $ tar -xzf gettext-latest.tar.gz $ cd gettext-* $ ./configure $ make && sudo install
Install MacPorts by downloading the latest install package from MacPorts.org, then update it:
$ sudo port -v selfupdate
Install Makedepend from MacPorts:
$ sudo port install makedepend
Update CPAN and install JSON:
$ sudo cpan install JSON
2. Setting build parameters and locations
Just like on Linux, build and installation locations matter, with one vital difference. On macOS, the /usr
tree itself is locked down and inaccessible, even for the privileged (root) user. However, locations like /usr/local
are open, and with newer versions of the OS, expect this to change.
For the purposes of this set of instructions, we recommend the following:
- For all the Moonshot dependencies, including OpenSSL, the Shibboleth dependencies, and Moonshot itself, but excluding Heimdal, the
--prefix
parameter should be set to/usr/local/moonshot
.
If you decide to change this location, you should appropriately change the locations in the commands in Sections 3 and 5 to your preference. - For Heimdal, the
--prefix
parameter should be set to/usr/local/heimdal
. This is because we are using Heimdal only for the header files that the Heimdal build generates, not for any library linking. It makes the eventual distribution easier. - We recommend that you build all libraries with the
-rpath
parameter enabled for all libraries to avoid any clashes with other libraries (such as the older version of OpenSSL that macOS ships for compatibility reasons). We have been assured by macOS developers that theclang
andlibtool
tools for macOS support this. - We do NOT recommend using the Apple-provided sources for some libraries (such as Heimdal) as they have various customisations that may negatively impact how Moonshot works, and because Apple categorically WILL NOT support any of their own source sets (we've tried through a Platinum support path and had the support ticket closed and refunded).
If you DO try using Apple's OpenSource sources and find that things build and function fine, please let us know by commenting on this document (with instructions that we can update this document with). These instructions should generally be backward-compatible.
3. Download and build the required external dependencies
3.1.1. Boost
Download Boost:
$ curl -OL https://dl.bintray.com/boostorg/release/1.64.0/source/boost_1_64_0.tar.gz
Build Boost:
$ tar -zvf boost_1_64_0.tar.gz $ cd boost_1_64_0 $ ./bootstrap.sh $ ./b2
- Note down the location at the end of the Boost build. You will need it later in this process. In the below examples, we shall use
/Users/admin/Desktop/build/boost_1_64_0
3.1.2. OpenSSL
- Create a directory called
openssl
. Download the OpenSSL build tree from Apple's OpenSource site. Some scripts that Apple provides will be needed, but we will not build it.
$ cd openssl && curl -OL https://opensource.apple.com/tarballs/OpenSSL098/OpenSSL098-59.60.1.tar.gz
Download the latest OpenSSL build from the OpenSSL website. We will build this version.
$ curl -OL https://www.openssl.org/source/old/1.0.2/openssl-1.0.2l.tar.gz
- Extract
OpenSSL098-59.60.1.tar.gz
, copy its 'bin' directory into the openssl directory, then delete the extracted source. - Edit the
extract_source.sh
script in thebin
directory: - Comment out the IDEA removal and patch lines (lines 39-49).
- Add the following parameters to each of the three
./Configure
lines:no-ssl2 enable-ec_nistp_64_gcc_128
- Change the
--openssldir
parameter to your appropriate directory. We recommend/usr/local/moonshot/bin
- Change the
--prefix
parameter from/usr
to/usr/local/moonshot
- Comment out the line
'rm -f Makefile'
- Find the line
'rm -f x86_64.h i386.h'
, and insert the following below it:ln -s crypto/idea/idea.h include/openssl/idea.h
From the openssl directory, run the following:
openssl $ bin/extract_source.sh .
- In the
src
directory, edit theMakefile
file:- Add the
-DNO_IDEA
parameter to theCFLAG
line - Add the
-DNO_IDEA
parameter to theDEPFLAG
line
- Add the
Run the following commands:
openssl/src $ make depend openssl/src $ make openssl/src $ sudo make install_sw
3.1.3. Heimdal
Heimdal requires OpenSSL. Once OpenSSL has built successfully, build Heimdal.
Download Heimdal:
$ curl -OL https://github.com/heimdal/heimdal/releases/download/heimdal-7.3.0/heimdal-7.3.0.tar.gz
Extract Heimdal:
$ tar -xvf heimdal-7.3.0.tar.gz
Build Heimdal:
$ cd heimdal-7.3.0 heimdal-7.3.0$ ./autogen.sh heimdal-7.3.0$ ./configure --prefix=/usr/local/heimdal --with-openssl=/usr/local/moonshot heimdal-7.3.0$ make heimdal-7.3.0$ sudo make install
- Note down both the location in which you built Heimdal, as well as where the Heimdal libraries are installed to (if you changed the
--prefix
parameter to something else). You will need a binary from the Heimdal build for the Moonshot build in Section 6, and you will need to set the--with-krb5
parameter of the Moonshot./configure
command in Section 6 to the location where you installed Heimdal.
3.1.4. Xerces-C
Download Xerces from the Apache project site:
$ curl -OL http://www-us.apache.org/dist/xerces/c/3/sources/xerces-c-3.1.4.tar.gz
Extract Xerces:
$ tar -xzf xerces-c-3.1.4.tar.gz
Build Xerces:
$ cd xerces-c-3.1.4 xerces-c-3.1.4$ LDFLAGS=" -Wl,-rpath,/usr/local/moonshot/lib " ./configure \ --prefix=/usr/local/moonshot --disable-static --enable-netaccessor-socket --enable-transcoder-macosunicodeconverter xerces-c-3.1.4$ make xerces-c-3.1.4$ sudo make install
3.1.5. XML-Security-C (Santuario)
Download XML-Security from the Apache project site:
$ curl -OL http://www-us.apache.org/dist/santuario/c-library/xml-security-c-1.7.3.tar.gz
Extract XML-Security:
$ tar -zxf xml-security-c-1.7.3.tar.gz
Build XML-Security:
$ cd xml-security-c-1.7.3 xml-security-c-1.7.3$ LDFLAGS=" -Wl,-rpath,/usr/local/moonshot/lib " ./configure --with-openssl=/usr/local/moonshot \ --without-xalan --prefix=/usr/local/moonshot --with-xerces=/usr/local/moonshot xml-security-c-1.7.3$ make xml-security-c-1.7.3$ sudo make install
3.1.6. LibConfuse
Clone the latest Libconfuse repository:
$ git clone --recursive https://github.com/martinh/libconfuse
Build Libconfuse:
$ cd libconfuse libconfuse$ ./autogen.sh libconfuse$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " ./configure --prefix=/usr/local/moonshot libconfuse$ make libconfuse$ sudo make install
3.1.7. LibEvent
Clone the latest Libevent repository:
$ git clone --recursive https://github.com/libevent/libevent
Build Libevent:
$ cd libevent libevent$ ./autogen.sh libevent$ CFLAGS=" -I/usr/local/moonshot/include " LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " ./configure \ --prefix=/usr/local/moonshot libevent$ make libevent$ sudo make install
3.1.8. Log4Shib
Moonshot requires Shibboleth, which in turn requires Log4Shib.
Download Log4Shib:
$ curl -OL http://shibboleth.net/downloads/log4shib/latest/log4shib-1.0.9.tar.gz
Extract Log4Shib:
$ tar -zxf log4shib-1.0.9.tar.gz
Build Log4Shib:
$ cd log4shib-1.0.9 log4shib-1.0.9$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " ./configure \ --disable-static --disable-doxygen --prefix=/usr/local/moonshot log4shib-1.0.9$ make log4shib-1.0.9$ sudo make install
4. Checkout the Moonshot source
The Moonshot source code is all stored in a GIT repository. To fetch it, issue the following command.
$ git clone --recursive git://git.project-moonshot.org/moonshot.git $ cd moonshot/moonshot && git checkout master && cd -
5. Build Moonshot's internal dependencies
The Moonshot repository contains a set of internal dependencies. These need to be built before you can build the Moonshot mechanism itself.
5.1.1. Libradsec
Libradsec is used by the Moonshot libraries.
Configure the Libradsec build:
$ cd moonshot/libradsec libradsec$ chmod +x autogen.sh libradsec$ ./autogen.sh libradsec$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " CFLAGS=" -I/usr/local/moonshot/include " ./configure \ --prefix=/usr/local/moonshot
- Edit the
Makefile
:- Find the
AM_CFLAGS
line, remove the-Werror
parameter. - Find the
libradsec_la_CFLAGS
line, remove the-Werror
parameter - Save the file.
- Find the
Build Libradsec:
libradsec$ make libradsec$ sudo make install libradsec$ cd -
5.1.2. Jansson
Jansson is used by the Moonshot libraries.
Confgure and build Jansson:
$ cd moonshot/jansson jansson$ libtoolize --force --automake jansson$ aclocal -I m4 $ACLOCAL_FLAGS jansson$ autoheader jansson$ automake --add-missing jansson$ autoconf jansson$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " CFLAGS=" -I/usr/local/moonshot/include " ./configure \ --prefix=/usr/local/moonshot --with-sysroot=/usr/local/moonshot jansson$ make jansson$ sudo make install jansson$ cd -
5.1.3. XMLTooling
XMLTooling is used by the Shibboleth libraries required by Moonshot.
Configure and build XMLTooling:
$ cd moonshot/shibboleth/xmltooling xmltooling$ libtoolize --force --automake xmltooling$ aclocal -I m4 $ACLOCAL_FLAGS xmltooling$ autoheader xmltooling$ automake --add-missing xmltooling$ autoconf xmltooling$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " CFLAGS=" -I/usr/local/moonshot/include " ./configure \ --with-log4shib=/usr/local/moonshot --prefix=/usr/local/moonshot --with-boost=/Users/admin/Desktop/build/boost_1_64_0 -C --with-openssl=/usr/local/moonshot xmltooling$ make xmltooling$ sudo make install xmltooling$ cd -
5.1.4. OpenSAML
OpenSAML is used by the Shibboleth libraries required by Moonshot.
Configure and built OpenSAML:
$ cd moonshot/shibboleth/opensaml2 opensaml2$ libtoolize --force --automake opensaml2$ aclocal -I m4 $ACLOCAL_FLAGS opensaml2$ autoheader opensaml2$ automake --add-missing opensaml2$ autoconf opensaml2$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " CFLAGS=" -I/usr/local/include " ./configure \ --with-log4shib=/usr/local/moonshot --prefix=/usr/local/moonshot --with-boost=/Users/admin/Desktop/build/boost_1_64_0 \ --with-openssl=/usr/local/moonshot -C opensaml2$ make opensaml2$ sudo make install opensaml2$ cd saml saml$ sudo make install saml$ cd ../../../..
5.1.5. Shibboleth SP
The Shibboleth SP provides XML parsing and attribute release to the Moonshot mechanism.
Generate the Shibboleth SP build script:
$ cd moonshot/shibboleth/sp sp$ libtoolize --force --automake sp$ aclocal -I m4 $ACLOCAL_FLAGS sp$ autoheader sp$ automake --add-missing sp$ autoconf
Edit the
configure
script, find thePKG_CHECK_MODULES(SYSTEMD, libsystemd-daemon)
line and comment it out. Save the file.Configure and build the Shibboleth SP:
sp$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " CFLAGS=" -I/usr/local/moonshot/include " ./configure \ --with-log4shib=/usr/local/moonshot --prefix=/usr/local/moonshot --with-boost=/Users/admin/Desktop/build/boost_1_64_0 --disable-doxygen-doc \ --disable-doxygen-html --disable-adfs --disable-odbc --enable-systemd=no --enable-apache-13=no --enable-apache-20=no --enable-apache-22=no \ --enable-apache-24=no --with-xmltooling=/usr/local/moonshot --with-openssl=/usr/local/moonshot sp$ make sp$ sudo make install sp$ cd shibd shibd$ sudo make install && cd .. sp$ cd shibsp shibsp$ sudo make install shibsp$ sudo /bin/sh ../libtool --silent --mode=install /usr/bin/install -c libshibsp.la libshibsp-lite.la '/usr/local/moonshot/lib' shibsp$ cd ../../../..
- Note down the location of where you built the Shibboleth SP. You will require this location later in Section 6 for the Moonshot
./configure
command.
5.1.6. Shibboleth Resolver
Generate the Shibboleth Resolver build script:
$ cd moonshot/shibboleth/resolver resolver$ libtoolize --force --automake resolver$ aclocal -I m4 $ACLOCAL_FLAGS resolver$ autoheader resolver$ automake --add-missing resolver$ autoconf
Edit the
configure
script, find theif test "x$ac_cv_header_shibsp_SPConfig_h" = xyes;
line.Comment out the entire
if...else...fi
statement that the line is part of.Find the
as_fn_error $? "unable to link with Shibboleth SP" "$LINENO" 5
line (15-20 lines below the if...else...fi statement you just commented out).Comment out the entire
if...else...fi
statement that the line is part of.Save the
configure
script.Configure the Shibboleth Resolver:
resolver$ LIBS="-framework GSS -F/System/Library/PrivateFrameworks -framework Heimdal" \ CPPFLAGS="-I/usr/local/moonshot/include -I/Users/admin/Desktop/build/boost_1_64_0 -I/usr/local/include" \ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib -L/Users/admin/Desktop/build/boost_1_64_0/stage/lib" ./configure \ --with-log4shib=/usr/local/moonshot --prefix=/usr/local/moonshot --with-xmltooling=/usr/local/moonshot --with-shibsp=/usr/local/moonshot \ --with-gssapi=/usr/local/heimdal
- Edit the top-level
Makefile
, find theLIBS =
line. Remove the parameters-L/usr/local/heimdal/lib -lgssapi
. Save the file. - Edit the
Makefile
in thesrc
directory, find theLIBS =
line. Remove the parameters-L/usr/local/heimdal/lib -lgssapi
. Save the file. Build the Shibboleth Resolver:
resolver$ make resolver$ sudo make install resolver$ cd src src$ sudo /bin/sh ../libtool --silent --mode=install /usr/bin/install -c libshibresolver.la libshibresolver-lite.la '/usr/local/moonshot/lib' src$ cd ../../../..
6. Build Moonshot
Before building Moonshot, check what the HEAD of your Git tree is:
$ cd moonshot && git rev-parse --short HEAD
- Check the output.
- If your head revision is
dfa044b5b
, please download the Heimdal patch first, then follow Step 4 to apply it. Otherwise, go to Step 5.
heimdal-patch.patch Apply the Heimdal patch:
moonshot$ git apply < heimdal-patch.patch
Configure the Moonshot build:
moonshot$ ./autogen.sh moonshot$ LDFLAGS=" -L/usr/local/moonshot/lib -Wl,-rpath,/usr/local/moonshot/lib " \ CPPFLAGS="-I/Users/admin/Desktop/build/boost_1_64_0 -I/Users/admin/Desktop/build/moonshot/shibboleth/sp/src -I/usr/local/moonshot/include" \ LIBS="-framework GSS -F/System/Library/PrivateFrameworks -framework Heimdal -L/Users/admin/Desktop/build/boost_1_64_0/stage/lib -L/usr/local/moonshot/lib" \ COMPILE_ET="/Users/admin/Desktop/build/heimdal-7.3.0/lib/com_err/compile_et" SHIBSP_LIBS=/usr/local/moonshot/lib \ SHIBSP_CXXFLAGS="-I/usr/local/moonshot/include" SHIBRESOLVER_LIBS=/usr/local/moonshot/lib SHIBRESOLVER_CXXFLAGS="-I/usr/local/moonshot/include" \ ./configure --with-krb5=/usr/local/heimdal --with-radsec=/usr/local/moonshot --with-opensaml=/usr/local/moonshot \ --with-shibresolver=/usr/local/moonshot --with-shibsp=/usr/local/moonshot --with-openssl=/usr/local/moonshot --with-jansson=/usr/local/moonshot \ --sysconfdir=/etc
Configure script parameters
There are several parameters in the command above that rely on locations noted down previously:
CPPFLAGS
contains three explicit include location references, the first is the Boost library header location from Section 3.1.1, the second the Shibboleth SP source from Section 5.1.5 and the third the general Moonshot location.LIBS
contains two explicit library location references, the first is the Boost library location from Section 3.1.1, the second the general Moonshot library location.COMPILE_ET
contains the full path to thecompile_et
binary that will be in your Heimdal build tree. You noted this down in the last step of Section 3.1.3.--with-krb5
contains the location where the Heimdal libraries and headers were installed. You noted this down in the last step of Section 3.1.3.- Edit the top-level
Makefile
:- Remove the parameter
-L/usr/local/heimdal/lib
from theKRB5_LDFLAGS
line. - Remove the parameters
-L/usr/local/heimdal/lib -lgssapi
from theKRB5_LIBS
line in the file. - Save the file.
- Remove the parameter
- Edit the
Makefile
in thelibeap
directory:- Remove the parameter
-L/usr/local/heimdal/lib
from theKRB5_LDFLAGS
line. - Remove the parameters
-L/usr/local/heimdal/lib -lgssapi
from theKRB5_LIBS
line in the file. - Save the file.
- Remove the parameter
- Edit the
Makefile
in themech_eap
directory:- Remove the parameter
-L/usr/local/heimdal/lib
from theKRB5_LDFLAGS
line. - Remove the parameters
-L/usr/local/heimdal/lib -lgssapi
from theKRB5_LIBS
line in the file. - Remove the parameters
-L/usr/local/heimdal/lib -lgssapi
from themech_eap_la_LIBADD
line in the file. - Remove the parameter
-Werror
from themech_eap_la_CFLAGS
line. - Remove the parameter
-Werror
from themech_eap_la_CXXFLAGS
line. - Save the file.
- Remove the parameter
Build Moonshot:
moonshot$ make moonshot$ sudo make install
You should now have a
mech_eap.so
file in/usr/local/lib/gss
.
7. Test Moonshot
To test this build of Moonshot, you will need to make some privileged changes to the system you built this on:
In
/etc
, create agss
directory:moonshot$ sudo mkdir -p /etc/gss
Copy the
mech
file from the Moonshotmech_eap
build directory to/etc/gss
moonshot$ sudo cp mech_eap/mech /etc/gss/
- As the privileged user, edit the
/etc/gss/mech
file:- Change the
mech_eap.so
entry on each line to the full path of the library, e.g./usr/local/lib/gss/mech_eap.so
- Save the file.
- Change the
- Create a
.gss_eap_id
file in your user's home directory:- On the first line of the file, put your Moonshot credential in email form, e.g.
username@moonshot.realm
. - On the second line of the file, put your password for the Moonshot credential in the first line.
- Save the file.
- On the first line of the file, put your Moonshot credential in email form, e.g.
Run an SSH command to a Moonshot-enabled system that the credentials you added in the previous step will be valid for:
ssh -Kv user@moonshot-host.realm
Jisc Assent
If you have an identity provider on the Jisc Assent network, you can use
ssh -Kv moonshot@ssh.test.moonshot.ja.net
to test whether your macOS Moonshot mechanism worked successfully.You should successfully connect to the service, and you should see several lines like this in the output:
debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). Authenticated to ssh.test.moonshot.ja.net ([212.219.179.184]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_GB.UTF-8
Jisc Assent
On the Jisc Assent Test SSH Service, the final output for success will be this:
debug1: Entering interactive session. debug1: Sending environment. debug1: Sending env LANG = en_GB.UTF-8 *** JISC Moonshot Test SSH Server *** You have successfully logged in with Moonshot. You are user: moonshot [moonshot@ssh ~]$
8. Distribute and install Moonshot
To distribute this binary set, you will need to trim down the binaries you have built to include only the dynamic libraries and only bare essentials needed to run the mechanism:
Make a copy of the
/usr/local
directory into a second location as the privileged user.Once the duplication process is complete, change to your duplicate location's
usr/local
directory and delete all directories except the following:lib
moonshot
- In the
lib
directory, delete everything except the following:gss
libintl.8.dylib
libintl.dylib
- In the
moonshot
directory, delete the following:include
,share
,sbin
,var
directories
- In the
moonshot/etc/shibboleth
directory, delete:- all
*.dist
files - all
*.pem
files - all
shibd-*
files - all
apache*.config
files
- all
- In the
moonshot/lib
directory, delete:- all
*.a
files - all
*.la
files - the
pkgconfig
directory
- all
- Now use tar to package up the contents of your distribution directory. You should have a tarball around 7MB in size.
- On your target machine, extract the tarball in such a way that the files end up in the
/usr/local/lib
and/usr/local/moonshot
directories. - To finish the deployment, create the
/etc/gss/mech
file, then try to run the SSH test (section 7, steps 4 to 6) to check that the mechanism is correctly loaded.
9. Issues
Current issues with this build include that the macOS SSH client abandons any gssapi-with-mic
conversations if the first mechanism it chooses, fails.
In a domain environment, this usually involves a Kerberos interaction, i.e. where you have received a Kerberos ticket before by logging in or by running kinit
. Other ssh clients (or a custom build of the ssh client) may not exhibit this behaviour.
On macOS Sierra, the native SSH client is sandboxed when run from its default location in /usr/bin. Making a copy elsewhere on the system enables it to authenticate with Moonshot. We are currently investigating this to see how this can be solved.