On this page you will find instructions on how to install the Moonshot libraries on an Ubuntu 12.04 (Precise Pangolin) based system, in order to enable applications/services on that system to perform Moonshot based authentication.
Contents
Assumptions and Prerequisites
This guide assumes you have an up-to-date Ubuntu 12.04 LTS based system (a minimal install will do) and that you have a Moonshot RP Proxy (this could be a Moonshot IdP) available to connect to.
Assumptions & Prerequisites
This guide assumes you have root access to the Linux device. This is required as new software needs to be installed system-wide.
1. System Preparation
First, there are a few Ubuntu configuration options that need to be set in advance.
1.1. Add the Moonshot Repository
Add the Moonshot Debian Wheezy repository to your system. To do this, run the following command (as root, or using sudo):
$ echo "deb http://repository.project-moonshot.org/debian-moonshot wheezy main" > /etc/apt/sources.list.d/moonshot.list
Install the Moonshot GPG key:
$ wget -O - http://repository.project-moonshot.org/key.gpg | apt-key add -
Update the apt cache with the new repository information:
$ apt-get update
1.2. Install updated font-config packages
Ubuntu 12.04 LTS ships with versions of fontconfig-config and libfontconfig that are a little too old for Moonshot. We need to update these packages with newer versions.
- Download the following two packages:
- fontconfig-config:
- libfontconfig1:
Install them:
$ dpkg -i fontconfig-config_2.10.1-0ubuntu3_all.deb libfontconfig1_2.10.1-0ubuntu3_*.deb
1.3. Moonshot GSS Mechanisms
Create a new file at /usr/etc/gss/mech (you will likely need to create the /usr/etc/gss directory) with the following content:
# # Sample mechanism glue configuration for EAP GSS mechanism. # # Any encryption type supported by Kerberos can be defined as the # last element of the OID arc. # eap-aes128 1.3.6.1.5.5.15.1.1.17 mech_eap.so eap-aes256 1.3.6.1.5.5.15.1.1.18 mech_eap.so
In the future we hope for this step to be done automatically on installing the software. For now, however, this is a manual step.
2. Install Moonshot
We’re now ready to install the Moonshot software and its required dependencies. Install the software by running the following command:
$ apt-get install moonshot-gss-eap moonshot-ui
3. Configure the connection to your Moonshot RP Proxy
The Moonshot GSS-EAP mechanism on needs to connect to a local Moonshot RP Proxy (RADIUS server) via RADIUS or RadSec in order to create the first hop between the service and the user's home IdP to allow authentication to happen.
To do this, you must configure the connection in /etc/radsec.conf (you will likely need to create this file). This can be a RADIUS or a RadSec connection.
If you are unsure which to use, then RadSec is recommended as it is more flexible and more secure. It is slightly more complex to set up, however.
3.1.1. RadSec
If you choose to use a RadSec connection to your Moonshot RP Proxy, then place the following content into /etc/radsec.conf:
realm gss-eap {
type = "TLS"
cacertfile = "$path_to_ca.pem"
certfile = "$path_to_client.pem"
certkeyfile = "$path_to_client.key"
disable_hostname_check = yes
server {
hostname = "$hostname"
service = "2083"
secret = "radsec"
}
}
3.1.2. RADIUS
If you choose to use a plain RADIUS connection to your Moonshot RP Proxy, then place the following content into /etc/radsec.conf:
realm gss-eap {
type = "UDP"
timeout = 5
retries = 3
server {
hostname = "$hostname"
service = "1812"
secret = "$secret"
}
}
4. Next Steps
You now have all of the necessary Moonshot GSS-EAP libraries and configuration for the application/service on your machine to use Moonshot. The next step is to install/configure that application/service as necessary.