Moonshot Deployment Readiness Script
- Former user (Deleted)
- Stefan Paetow
- hlf
Moonshot has a number of steps that need to be performed to ensure that things work smoothly. This can be done in an automated fashion - i.e. using a script to verify that certain important but easy to confirm things are in place.
Getting the script
The script is available from Github here:
https://github.com/janetuk/moonshot-readiness
Usage
$ moonshot-readiness
usage: moonshot-readiness [task] [task]...
Available tasks:
minimal (default)
client
rp
rp-proxy
idp-proxy
ssh-client
ssh-server
$ moonshot-readiness client ssh-client
Testing task basic...
Hostname is fqdn... [OKAY]
Supported OS... [OKAY]
Moonshot repositories configured... [FAIL]
Testing task client...
gss/mech... [OKAY]
mech_eap.so in library path... [FAIL]
Testing task ssh-client...
GSSAPIAuthentication... [FAIL]
GSSAPIKeyExchange... [OKAY]
Test complete, failed tests:
Moonshot repositories configured:
Without the moonshot repositories configured, you will not be able to update to the latest versions of the moonshot code.
mech_eap.so in library path:
mech_eap.so was not found in your ld configuration - this may mean you've installed the Moonshot libraries in a non-default location.
GSSAPIAuthentication:
Your SSH client is not configured for GSSAPI authentication. Moonshot will not work.
Structure
Each 'task' defines a number of items to check, what the valid response is, and a message to display in the event of the test failing. Tasks also list a parent tast that they depend on, (i.e. ssh-client depends on client, which in turn depends on basic, which means when testing for ssh-client). Fatal failed tests should be displayed as FAIL, non-fatal as WARN, and successful tests as OKAY.
Tasks
| Task | Dependency | OS Support | Description |
|---|---|---|---|
| basic | none | Linux, macOS | Basic set of tests required for Moonshot to function at all in any capacity |
| client | basic | Linux, macOS | Fundamental tests required for Moonshot to function as a client |
| rp | basic | Linux | Fundamental tests required for Moonshot to function as an RP (a Moonshot service) |
| rp-proxy | rp | Linux | Tests required for Moonshot to function as an RP Proxy (a Moonshot gateway) |
| idp | rp | Linux | Tests to verify if FreeRADIUS is correctly configured to function as Moonshot identity provider |
| ssh-client | client | Linux, macOS | Tests to verify if the OpenSSH client is correctly configured |
| ssh-server | rp | Linux | Tests to verify if the OpenSSH server is correctly configured |
Tests
| ID | Task | Title | Debian Method | RHEL Method | macOS Method | Failure Text | ERROR | Implemented |
|---|---|---|---|---|---|---|---|---|
| 1 | basic | Supported OS | Linux: Check '/etc/*-release' to determine if the OS is one of:
macOS: Check the output of sw_vers to determine if the OS is one of:
| You are not running a supported OS. Moonshot may not work as indicated in the documentation. | WARN | Yes | ||
| 2 | basic | Prerequisites | Check if the following tools are installed:
| One or more prerequisites for this test couldn't be found. Please check that dig, hostname, grep, echo, ... are installed. | ERROR | Yes | ||
| 3 | basic | Hostname is FQDN | Check that the value returned by hostname is an FQDN using dig. | Your servers hostname is not fully qualified or resolvable. This is required in order to prevent certain classes of attack. | ERROR | Yes | ||
| 4 | basic | Moonshot repositories configured | Debian, Ubuntu: Check apt-cache search for the Moonshot packages. RHEL, CentOS, SL: Check yum list for the Moonshot packages | The Moonshot repositories do not appear to exist on this system. You will not be able to upgrade Moonshot using your distribution's package manager. | WARN | Yes | ||
| 5 | basic | Moonshot Signing Key | Debian, Ubuntu: Check apt-key list for the Moonshot signing key. RHEL, CentOS, SL: Check the RPM GPG keyring for the Moonshot signing key | The Moonshot repository key is not installed, you will have difficulty updating packages. | WARN | Yes | ||
| 6 | basic | Current version | Debian, Ubuntu: Using apt-get install, determine pending updates from the Moonshot repository. RHEL, CentOS, SL: Using yum install, determine pending updates from the Moonshot repository. | You are not running the latest version of the Moonshot software. | WARN | Yes | ||
| 7 | rp | /etc/radsec.conf | Check that /etc/radsec.conf exist | /etc/radsec.conf could not be found - you may not be able to communicate with your rp-proxy. | ERROR | Yes | ||
| 8 | rp-proxy | APC | Check to see if port 2083 is open to ov-apc.moonshot.ja.net | ov-apc.moonshot.ja.net does not seem to be accessible. Please check the servers network connection, and see status.moonshot.ja.net for any downtime or maintenance issues. | ERROR | Yes | ||
| 9 | rp-proxy | Trust Router | Check to see if port 12309 is open to tr.moonshot.ja.net | tr.moonshot.ja.net does not seem to be accessible. Please check the servers network connection, and see status.moonshot.ja.net for any downtime or maintenance issues. | ERROR | Yes | ||
| 10 | rp-proxy | flatstore-users | Does /etc/moonshot/flatstore-users contain:
| /etc/moonshot/flatstore-users could not be found, or does not contain all the user accounts it needs to. You may be unable to authenticate to the trust router. | ERROR | Yes | ||
| 11 | rp-proxy | Trust Identity (FreeRADIUS) | Debian, Ubuntu: Does /etc/freeradius/.local/share/moonshot-ui/identities.txt exist? RHEL, CentOS, SL: Does /var/lib/radius/.local/share/moonshot-ui/identities.txt exist? | FreeRADIUS does not appear to be installed, or no home directory for the FreeRADIUS user could be found. You will not be able to authenticate to the trust router. No trust identity could be found for the freeradius user account. You will not be able to authenticate to the trust router. | ERROR | Yes | ||
| 12 | idp | Port 2083 | Check to see if port 2083 is open on the current host | Port 2083 appears to be closed. RP's will not be able to initiate connections to your IDP. | ERROR | Yes | ||
| 13 | idp | Port 12309 | Check to see if port 12309 is open on the current host | Port 12309 appears to be closed. The trust router will not be able to initiate connections to your IDP. | ERROR | Yes | ||
| 14 | idp | flatstore-users | Does /etc/moonshot/flatstore-users contain:
| /etc/moonshot/flatstore-users could not be found, or does not contain all the user accounts it needs to. You may be unable to authenticate to the trust router. | ERROR | Yes | ||
| 15 | idp | Trust Identity (FreeRADIUS) | Debian, Ubuntu: Does /etc/freeradius/.local/share/moonshot-ui/identities.txt exist? RHEL, CentOS, SL: Does /var/lib/radiusd/.local/share/moonshot-ui/identities.txt exist? | FreeRADIUS does not appear to be installed, or no home directory for the FreeRADIUS user could be found. You will not be able to authenticate to the trust router. No trust identity could be found for the FreeRADIUS user account. You will not be able to authenticate to the trust router. | ERROR | Yes | ||
| 16 | idp | Trust Identity (Trust Router) | Does /var/lib/trust_router/.local/share/moonshot-ui/identities.txt exist? | There either is no trustrouter user or no home directory for the trustrouter user could be found. You will not be able to authenticate to the trust router. No trust identity could be found for the trustrouter user account. You will not be able to authenticate to the trust router. | ERROR | Yes | ||
| 17 | client | gss/mech | Debian, Ubuntu: Does /etc/gss/mech.d/moonshot-gss-eap.conf exist macOS, RHEL, CentOS, SL: Does /etc/gss/mech exist Does it have permissions of 644, and does it contain the following lines:
| The Moonshot mech file is missing mech_eap.so will not be loaded. | ERROR | Yes | ||
| 18 | ssh-client | GSSAPIAuthentication enabled | Using grep to verify that /etc/ssh/ssh_config has 'GSSAPIAuthentication' set to 'yes' | GSSAPIAuthentication must be enabled for Moonshot to function when using SSH. | ERROR | Yes | ||
| 19 | ssh-client | GSSAPIKeyExchange disabled | Linux only: Using grep to verify that /etc/ssh/ssh_config has 'GSSAPIKeyExchange' set to 'no' | GSSAPIKeyExchange should be not enabled for Moonshot to function correctly when using SSH. | WARN | Yes | ||
| 20 | ssh-server | Privilege separation disabled | Using grep to verify that /etc/ssh/ssh_config has 'UsePrivilegeSeparation' set to 'no' (for versions before OpenSSH 6.5p1) | Moonshot currently requires that OpenSSH server has privilege separation disabled. | ERROR | Yes | ||
| 21 | ssh-server | GSSAPIAuthentication | Using grep to verify that /etc/ssh/ssh_config has 'GSSAPIAuthentication' set to 'yes' | GSSAPIAuthentication must be enabled for Moonshot to function when using SSH. | ERROR | Yes | ||
Dependencies
| Dependency | Available | Usage | |
|---|---|---|---|
dig
| apt-get install dnsutils | Tool for querying DNS servers # Forward Query $ dig +short @dns.server.address address.to.query.com RECORD # Reverse Query $ dig -x +short @dns.server.address x.x.x.x | |
hostname
| apt-get install hostname | Tool for querying the system hostname # query hostname $ hostname -f | |
apt
| - | Tool for querying the apt package database # Query the apt database for configured repositories $ apt-cache policy # Query for pending updates $ apt-get -u upgrade --assume-no | |
yum
| - | Tool for querying the rpm package database # Query the list of configured repository $ yum repolist # Query for pending updates $ yum check-update |