As with the previous email, these instructions have been put together over the last month or so, and they've been shared with JANET, it's just getting them online once the appropriate parties have the time to:
Unfortunately, the CentOS version of OpenSSH is 5.3, while the version used by Moonshot currently is OpenSSH 5.9 and the required patching for 5.3 is not yet available.
So, you must build OpenSSH from scratch:
# yum install gcc openssl-devel pam-devel rpm-build autoconf automake gtk2-devel libX11-devel audit-libs-devel tcp_wrappers-devel fipscheck-devel openldap-devel libedit-devel ncurses-devel nss-devel
Change to the ~/rpmbuild/SOURCES/ directory (if necessary, create the directory). Then download the official CentOS OpenSSH source at http://vault.centos.org/6.4/os/Source/SPackages/openssh-5.3p1-84.1.el6.src.rpm
Run the following command to extract the source:
# rpm -ivh openssh-5.3p1-84.1.el6.src.rpm
Grab copies of the Moonshot patches for OpenSSH at https://www.dropbox.com/sh/sbqyy7gvzrd3egt/azlTLKkRBc and copy them into ~/rpmbuild/SOURCES/:
* openssh-nulluser.patch
* openssh-gssapi-generic.patch
Grab the Moonshot version of the SPEC file for OpenSSH at https://www.dropbox.com/sh/sbqyy7gvzrd3egt/azlTLKkRBc and copy it into ~/rpmbuild/SPECS/, overwriting the existing copy:
* openssh.spec
Then change to ~/rpmbuild/SPECS and execute:
# rpmbuild -bb openssh.spec
Once the build was successful, you should have the following files in ~/rpmbuild/RPMS/x86_x64/:
openssh-5.3p1-53.moonshot1.el6.2.x86_64.rpm
openssh-askpass-5.3p1-53.moonshot1.el6.2.x86_64.rpm
openssh-clients-5.3p1-53.moonshot1.el6.2.x86_64.rpm
openssh-ldap-5.3p1-53.moonshot1.el6.2.x86_64.rpm
openssh-server-5.3p1-53.moonshot1.el6.2.x86_64.rpm
pam_ssh_agent_auth-0.9.3-53.moonshot1.el6.2.x86_64.rpm
To install this build, you must first remove the existing installation of OpenSSH (save your configurations first):
# yum erase openssh openssh-askpass openssh-clients openssh-ldap openssh-server pam_ssh_agent_auth
To install your packages, execute:
# rpm -Uvh ~/rpmbuild/RPMS/x86_64/openssh*rpm
Restore your backed-up configurations.
Check that /etc/ssh/sshd_config has the following lines set (and uncommented):
* PasswordAuthentication no
* UsePrivilegeSeparation no
* GSSAPIAuthentication yes
* *GSSAPIStrictAcceptorCheck yes
* This setting can be set to "no" to be able to use a short name with SSH. We set it to "yes" to force FQDN usage.
Check that /etc/ssh/ssh_config has the following lines set (and uncommented):
* GSSAPIKeyExchange yes
* GSSAPIAuthentication yes
If necessary, enable these lines by removing the comment. Restart the OpenSSH daemon. Done!
To test:
To test that OpenSSH works correctly, you should run the OpenSSH daemon in debug mode to see what it does.
You must have a local test user you can verify with FreeRADIUS:
* In the standard Configuring Moonshot on CentOS instructions, the user is steve
* The standard Project Moonshot user is moonshot
If the user does not exist, create it with either useradd -m or the appropriate user management utility. The password for them all is not really relevant because it will not be used.
Open a new terminal window and issue the following commands:
# service sshd stop
Stopping sshd: [ OK ]
# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
In another terminal window, first check ~/.gss_eap_id to match the appropriate credentials to test:
* In the standard DLS and Project Moonshot instructions, these are steve / testing
Then issue this command:
# ssh -l "local_test_user" your_local_host_name
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
debug1: PAM: reinitializing credentials
debug1: permanently_set_uid: 501/100
:
:
:
#
You should be logged in. Issue the following command:
# whoami
local_test_user
#
After you log out, your terminal in which you issued the sshd commands, will show the entire authentication conversation, including several references to your local test user. You can then restart your OpenSSH daemon with the service sshd start command.
And with that, your test is complete and your OpenSSH setup ready for Moonshot!
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
|