OpenSSH Client

Owned by wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net
Last updated: Oct 14, 2019 by Alex Perez Mendez
3 min read

OpenSSH is a freely available version of the SSH connectivity tools, and is the standard version of SSH used by many linux distributions. See http://www.openssh.org/ for more information.

Contents

1. Overview

When using OpenSSH as an SSH client, Moonshot is natively supported provided it has been built with GSS-API support.

This is only true for OpenSSH as a client - if you want a Moonshot enabled OpenSSH server, see the OpenSSH Server section.

Alpine Linux

Alpine Linux does not build OpenSSH with GSS-API support. Hence, Alpine Linux Moonshot users will need to install the OpenSSH version from the Moonshot repository, by using:

apk add openssh-client@moonshot

2. Installation Instructions

This software does not require any special installation instructions - install it as you normally would.

3. Configuration Instructions

The OpenSSH client only needs a few quick tweaks in order to enable Moonshot support.

For more information on the SSH client configuration, visit the ssh_config(5) man page.

It is worth remembering the order in which the SSH client obtains its options, and that the first configuration value found overrides any later values.

Other GSSAPI authentication mechanisms

Moonshot is a GSSAPI-based mechanism. Using any of the below configuration instructions to control Moonshot may have an undesirable effect on other GSSAPI-based mechanisms, such as Kerberos or GSI authentication.

3.1. Configuring the OpenSSH client globally

Configure the OpenSSH client to use Moonshot by editing /etc/ssh/ssh_config. Check the following lines are present and uncommented:

GSSAPIAuthentication yes
GSSAPIKeyExchange no

You can put these declarations in Host blocks if you wish them to only apply to some hosts.

3.2. Configuring the OpenSSH client locally

Configure the OpenSSH client to use Moonshot by editing ~/.ssh/config. Check the following lines are present and uncommented:

GSSAPIAuthentication yes
GSSAPIKeyExchange no

You can put these declarations in a Host block if you wish them to only apply to some hosts.

Additionally, you can change the type or order of authentication mechanisms the client tries by changing the following default option in your ~/.ssh/config file:

PreferredAuthentications "gssapi-keyex, gssapi-with-mic, hostbased, publickey, keyboard-interactive, password"

You can put your changed declaration in Host blocks if you wish it to only apply to some hosts.

For more information on how to customise the local ssh_config file to suit your preferences, visit Nerderati's page on SSH configuration. 

3.3. Configuring the OpenSSH client on the command-line

You can configure the OpenSSH client on its command-line to use Moonshot.

  1. To use GSSAPI, use the -K switch:

    ssh -K moonshot.camford.ac.uk

  2. To not use GSSAPI, use the -k switch:

    ssh -k terminals.camford.ac.uk

  3. To change the preferred authentication mechanisms for the specific host you are connecting to, use the -o switch with the PreferredAuthentications option:

    Using public key and password authentication first
    ssh -k -o PreferredAuthentications="publickey,password" terminals.camford.ac.uk

4. Credential forwarding and proxying

The standard OpenSSH client supports proxying. While the Moonshot standards currently do not support credential forwarding or credential delegation, we recommend using the OpenSSH ProxyCommand option together with either the netcat(1) utility or the -W option to forward your Moonshot credentials securely along the chain of hosts to authenticate with Moonshot.

  1. Configure the OpenSSH configuration to set the ProxyCommand by editing ~/.ssh/config:

    Using netcat(1)
    Host your.final.host
ProxyCommand ssh -X -K username_on_intermediate_host@intermediate.host nc %h %p 2>/dev/null
    Using -W
    Host your.final.host
ProxyCommand ssh -X -K username_on_intermediate_host@intermediate.host -W %h:%p 2>/dev/null
    When using the Moonshot Identity Selector to store your credentials, you must use the -X switch in the ProxyCommand command-line to forward X11 connections.

    To create a chain of intermediate proxies, create separate Host entries to set up different proxy connections.

  2. To initiate your connection to the end host, simply connect to it with the usual command-line:

    ssh username@your.final.host

    When using the nulluser patch (included in the build of OpenSSH in the Moonshot repository), specifying the -l "" option will function throughout the proxy chain.

For more information on SSH proxy forwarding, see SSHMenu: Transparent Multihop.

5. Server Compatibility

The following servers are known to work with this server software using Moonshot authentication (click on the link to see further information about enabling Moonshot in that server):