Hello,
I have some doubts related on how the Moonshot's SSH server is managing
authorization. I will use the term username to refer to the identifier
in .gss_eap_id (e.g. [log in to unmask]), while I will use the term account to
the refer to the account in the SSH server (i.e. alex@sshserver).
On my first tries, gss_userok failed no matter which username/account
combination I tried. I even created the [log in to unmask] account in the server
machine, with no luck.
Digging into the mailing list archive, I read about the <Attribute
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="local-login-user"/> option
in attribute-map.xml file. That made the trick. Now gss_userok succeed
when the account name matched the attribute
urn:oid:1.3.6.1.4.1.5923.1.1.1.7 included in the SAML Asssertion from
the server.
Now, my question is: how can I map the local-login-user attribute to the
User-Name attribute from the Access-Accept? Moreover, can I make that
map to be hard-coded in the SSH server, in such a way that it does not
matter who you are, you will be ending up in the guest@server account. I
need these options for the situations where the AAA server is not
sending a SAML Assertion (e.g. eduroam AAA server with no moonshot support).
Best regards,
Alejandro
|