Hi Martin,

 

1)      pam_gss requires the newest krb5-devel you can dig up in the repository (I’ve not had any issues compiling it here), and on the system where you are using it, you need: krb5-libs, krb5-server and krb5-workstation v1.10.3-10.el6_4.6 (that’s what I have here, and pam_gss functions ok).

One thing to note... I have not been able to make pam_gss work with SSH (i.e. in the SSH PAM stack) – the password never makes it through (or is sent through garbled/encoded, I don’t know which). Of course, any progress anyone here makes in that regard will be helpful.

 

2)      Is the OpenSSH you’re using the version in the repository? Check that you disable PasswordAuthentication and enable all four GSSAPI* options on the Moonshot version of sshd_config, then enable GSSAPIKeyExchange and GSSAPIAuthentication in ssh_config. Since you’re SSH’ing into the localhost, you already have Moonshot installed...

For both, make sure that the attribute-map.xml file in /etc/shibboleth maps one of the OIDs in your SAML-AAA-Assertion to local-login-user. Be careful about your choice because Shibboleth will use attribute-policy.xml to filter out attributes that do not conform to the policy in that file (some attributes are ‘scoped’, which, if they don’t match the scoping rule, will be removed).

 

:-)

 

Stefan

 

 

From: Moonshot community list [mailto:[log in to unmask]] On Behalf Of Martin Hamilton
Sent: 04 October 2013 08:16
To: [log in to unmask]
Subject: Re: pam_gss vs pam_sss?

 

Sorry for the delayed action reply :-)

 

Two things:

 

Thing #1) - what should I be linking pam_gss with to get gss_localname? [on CentOS 6]

 

1380870339 2013 Oct  4 08:05:39 hera12 authpriv err sshd PAM unable to dlopen(/lib64/security/pam_gss.so): /lib64/security/pam_gss.so: undefined symbol: gss_localname

1380870339 2013 Oct  4 08:05:39 hera12 authpriv err sshd PAM adding faulty module: /lib64/security/pam_gss.so

 

Thing #2) - here's what I get if I have pam_sss enabled (for LDAP), Moonshot identity in ~/.gss_eap_id, and no PAM config for pam_gss

 

[root@hera12 comth]# /opt/moonshot/bin/ssh -vvvv -p 2222 -l "" localhost

OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

debug1: Reading configuration data /etc/ssh/ssh_config

 

...

 

 

[root@hera12 pam_gss-master]# /opt/moonshot/sbin/sshd -ddd -p 2222 -f /opt/moonshot/etc/sshd_config

 

...

 

 

 

 

 

On 20 September 2013 00:59, Sam Hartman <[log in to unmask]> wrote:

You'd want pam_gss if you're trying to support Moonshot logins from
people not running the Moonshot software or Moonshot logins for console
access.

For normal Moonshot access via ssh you probably don't need to change the
pam config at all.

 


 

-- 

This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom