GNOME on RHEL/CentOS/SL 6

Owned by wqx+qmnstigwu5kzxaiskxnikzy@idp.company.ja.net
Last updated: Jun 04, 2014
2 min read

GNOME is a desktop environment which is composed entirely of free and open-source software. See GNOME's website for more details.

Contents

Moonshot-enabling GNOME requires the use of pam_gss, a PAM module that brings Moonshot compatibility to PAM. Unfortunately, pam_gss necessarily has to work in a way that is not generally recommended with Moonshot - the client device is not under the direct control of the user, and with pam_gss the device is both the client and the server. The consequence of this is that the user's credentials (NAI and password) are exposed directly to a device which is not the user's. Thus, this should only be deployed where the implications and the risk are fully understood:

  • Deployers should understand that the credentials of users using the device could be exposed on that device.
  • Users should understand that their credential could be exposed and should thus do it only on devices managed by organisations they trust.

Due to the severity of this problem, the Moonshot project does not officially distribute pam_gss packages. Members of the community have made them available, however. The instructions on this page walk you through configuring GNOME using this community-provided code, but again - only do so if you understand the consequences.

All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).

1. System Preparation

1.1. Add the Moonshot libraries.

If you have not already done so, you first need to follow the instructions on how to configure a RHEL 6 / CentOS 6 / Scientific Linux 6 client.

1.2. Install pam_gss

pam_gss is a PAM module written by Luke Howard (see the pam_gss homepage). The easiest way to install it on RHEL/CentOS/SL 6 is to use Stefan Paetow's pre-compiled pam_gss RPM, available via his Dropbox. Download the zip file, unzip, and install the RPM.

2. Installation Instructions

This software does not require any special installation instructions - install it as you normally would.

3. Configuration Instructions

We need to now configure the GDM PAM stack to try Moonshot authentication.

  1. Open /etc/pam.d/gdm-passwd for editing (you might want to make a backup of this file first).

  2. Before the "auth substack" part of the file, insert the following line:

    auth	sufficient	pam_gss.so ignore_unknown_user mech=1.3.6.1.5.5.15.1.1.18

  3. Restart GDM.