Hi again :),
now to continue a bit on Sami's mails, I'm working on the SSH server part of the same system. Let's hope I use the correct terminology.
So the scenario is as follows. A CentOS 6 sshd (compiled with moonshot extensions) talks to our ORPS. When the authentication to the remote IDP is ok, the ORPS is configured to populate the CUI attribute in a response with a local user identity. This is done using a perl module which maps the user based on the eppn found in the saml.
For the sshd side I basically the link below for shibboleth configuration. I know it's old, but I haven't found a newer source for mapping the radius attributes. The newer sources seem to use a SAML attribute for mapping instead.
http://www.project-moonshot.org/devwiki/ConfiguringRHEL/
If I do a simple gss-server and gss-client test, with this config, it works great, I get the radius attribute 89 as the user, and gss is happy.
Now, when I try with SSH and debug it seems to fail at (sshd debug output)
...
debug1: Got no client credentials
debug1: Got no client credentials
debug1: Got no client credentials
debug1: userok failed for khappone
From the ssh client side, it looks like it should work
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware'
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware'
CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=NL/O=TERENA/CN=TERENA SSL CA'
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/OU=Domain Control Validated/CN=idp.csc.fi'
EAP-MSCHAPV2: Authentication succeeded
EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Now, does the CUI to local-login-user mapping still work as in the ConfiguringRHEL link?
If instead of trying to map the CUI to local-login-user in shibboleth, I took the saml eppn attribute and did a transform, and populated local-login-user from that, ssh worked.
Cheers,
Kalle
|