On further investigation I found the following issues:
(However 'Attribute local-login-user Authenticated Complete' is still
missing)
==========================================================================
This was missing from the guide:
/etc/shibboleth/shibboleth2.xml
<Extensions>
<Library path="plugins.so" fatal="true" />
</Extensions>
A list of installed plugins follows:
[root@sci-ws006 ~]# ls -lR /opt/moonshot/lib64/shibboleth
/opt/moonshot/lib64/shibboleth:
total 492
-rwxr-xr-x. 1 root root 94312 Oct 6 14:40 adfs-lite.so
-rwxr-xr-x. 1 root root 151896 Oct 6 14:40 adfs.so
-rwxr-xr-x. 1 root root 125728 Oct 6 14:40 mod_shib_22.so
-rwxr-xr-x. 1 root root 58824 Oct 6 14:40 odbc-store.so
-rwxr-xr-x. 1 root root 58264 Oct 6 14:40 plugins.so
===========================================================================
Adam's list of things to check:
Checked OK: UsePrivilegeSeparation no
Checked OK: * SELinux is permissive or disabled
NOT OK: * The user moonshot exists on the system
* Connecting with a null username ( /opt/moonshot/bin/ssh -l "" ... )
username was defined as not defined in the .ssh/config file
but it might not have worked as intended,
after
a) overriding the config file username with: -l ""
b) creating a local unix moonshot account with no password
The result was the login is successful
AND the login prompt changes to: moonshot@sci-ws006
as shown below:
[steve@sci-ws006 ~]$ /opt/moonshot/bin/ssh -l "" moonbase
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
[moonshot@sci-ws006 ~]$
==============================================================================
Re-running gss_client:
/opt/moonshot/bin/gss-client -spnego 127.0.0.1 host@localhost bar
has not been improved by the changes:
'Attribute local-login-user Authenticated Complete' is still missing
==============================================================================
context flag: GSS_C_MUTUAL_FLAG
context flag: GSS_C_REPLAY_FLAG
context flag: GSS_C_SEQUENCE_FLAG
context flag: GSS_C_CONF_FLAG
context flag: GSS_C_INTEG_FLAG
Attribute urn:ietf:params:gss-eap:radius-avp urn:x-radius:1
Authenticated Complete
steve
7374657665
Attribute urn:ietf:params:gss-eap:radius-avp urn:x-radius:79
Authenticated Complete
03060004
Attribute urn:ietf:params:gss-eap:radius-avp urn:x-radius:80
Authenticated Complete
b724dc9b2f7d145ce86b049117d3bac2
Attribute urn:ietf:params:gss-eap:radius-avp urn:x-radius:89
Authenticated Complete
moonshot
6d6f6f6e73686f74
Accepted connection: "steve"
Received message: "bar"
NOOP token
|